Thursday, November 22, 2012 12:59 PM
I'm looking for a way to restrict certain domain accounts (Domain Admins, Enterprise Admins, etc.) .
Is it possible in a Windows Active Directory environment
to allow certain AD user account to logon to AD only, if they are
coming (source IP) from a particular IP address/machine name. Or to
put it differently, I want Kerberos to issue tickets (TGTs, STs) for certain
accounts only, if the client issuing the authentication request is in
a particular IP/IP-band/machine name.
Maybe any third-party products that allow such settings?
Thursday, November 22, 2012 7:27 PM
All members of those groups (Domain Admins, Enterprise Admins) must be trusted. Anything you do to restrict their permissions, they can undo (or workaround). Membership in these groups should be limited for this reason. Best is to give people the permissions they need for their jobs without making them members of these groups, using delegation.
Richard Mueller - MVP Directory Services
- Proposed As Answer by Sandesh DubeyMicrosoft Community Contributor Thursday, November 22, 2012 7:33 PM
Thursday, November 22, 2012 7:37 PMAgreed with richard if you want users to manage AD then delegate permission instead of adding the user to domain/enterprise groups.
How to Delegate Basic Server Administration To Junior Administrators http://support.microsoft.com/kb/555986
Best Practices for Delegating Active Directory Administration http://www.microsoft.com/en-us/download/details.aspx?
Hope this helps
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Friday, November 23, 2012 7:26 AM
What you are trying to ask like the user can login from there domain only, not from any other domain..???
If yes then if you want to restrict domain please try out these steps.
Go at Native Windows Active Directory > user properties > dial –in > you can assign the ip address at statics IP options.
Once assigning the IP Address the user can login from his domain only.
For third party tool I can recommend you go for Lepide Active Management and Reporting tool as just by simple few clicks at its user properties you can restrict domain a/c of user. Download its free version and test out the product.
I hope this works well for you.
- Edited by jeorge book Friday, November 23, 2012 7:26 AM
Friday, November 23, 2012 8:15 AM
thanks for your reply. The dial-in property only affects dial-in connections. This is not what I was looking for! I'll have a look at the tool you were recommending - thanks for that,
Friday, November 23, 2012 8:23 AM
I totally agree with you on trusting Domain, Enterprise Admins. But that was actually not my question. When you have a dedicated admin subnet and dedicated admin accounts, it would be a great security boost if you could say: my enterprise admin accounts can only logon to AD if their client is in this dedicated admin subnet. There is no reason for using domain/enterprise admin account from e.g. the office subnet! So if someone on a client in the office subnet does something like starting AD users and Computers and connect a DC as Enterprise Admin, this should simply not work!
Hope I did cause more confusion :-)
Saturday, November 24, 2012 3:54 PM
Anything you do to restrict where an admin user can logon, or what applications they run, can be reversed by an admin user. While you can't prevent this activity, maybe you could "encourage" them not to do these things.
There certainly is no easy or builtin functionality for this. However, you could give them a logon script that checks the subnet. If the subnet is "office", either logoff or display a message. Or you could apply a group policy that prevents the user from running ADUC. Maybe you can have this policy apply when they logon to a computer in the "office" site, but not the "admin" site.
Richard Mueller - MVP Directory Services
- Marked As Answer by Arthur_LiMicrosoft Contingent Staff, Moderator Monday, December 03, 2012 4:00 AM
Monday, November 26, 2012 1:29 PM
interesting suggestion - after thinking about it for sometime I came to the conclusion that running a logon script is probably not what I want - for two reasons:
1) logon scripts only after interactive logon (right? could not 100% confirm that, but I don't think those scripts are executed when I make a network connect to a fileserver)
2) logon scripts run on the client and not on the server. From what I read you can also suppress script execution if you control the client.
However, Richard's idea pointed me in the right direction. Windows can execute scheduled tasks triggered by certain Windows event log events. Thus I can run a script whenever certain Kerberos / NTLM authentication events appear! This is a MacGyver style workaround and I don't think it is very practical but it is at least a nice idea!