Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Restrict administrative accounts

Answered Restrict administrative accounts

  • Thursday, November 22, 2012 12:59 PM
     
     
    Sign In to Vote
    0

    Hi,

    I'm looking for a way to restrict certain domain accounts (Domain Admins, Enterprise Admins, etc.) .

    Is it possible in a Windows Active Directory environment
    to allow certain AD user account to logon to AD only, if they are
    coming (source IP) from a particular IP address/machine name. Or to
    put it differently, I want Kerberos to issue tickets (TGTs, STs) for certain
    accounts only, if the client issuing the authentication request is in
    a particular IP/IP-band/machine name.

    Maybe any third-party products that allow such settings?

    Regards,

    Michael

     

All Replies

  • Thursday, November 22, 2012 7:27 PM
     
     Proposed Answer
    Sign In to Vote
    0

    All members of those groups (Domain Admins, Enterprise Admins) must be trusted. Anything you do to restrict their permissions, they can undo (or workaround). Membership in these groups should be limited for this reason. Best is to give people the permissions they need for their jobs without making them members of these groups, using delegation.

    Richard Mueller - MVP Directory Services

     
  • Thursday, November 22, 2012 7:37 PM
     
     Proposed Answer
    Sign In to Vote
    1
    Agreed with richard if you want users to manage AD then delegate permission instead of adding the user to domain/enterprise groups.

    How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986

    Best Practices for Delegating Active Directory Administration  http://www.microsoft.com/en-us/download/details.aspx?

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


     
  • Friday, November 23, 2012 7:26 AM
     
     
    Sign In to Vote
    4

    What you are trying to ask like the user can login from there domain only, not from any other domain..???

    If yes then if you want to restrict domain please try out these steps.

    Go at Native Windows Active Directory > user properties > dial –in > you can assign the ip address at statics IP options.

    Once assigning the IP Address the user can login from his domain only.

    For third party tool I can recommend you go for Lepide Active Management and Reporting tool as just by simple few clicks at its user properties you can restrict domain a/c of user. Download its free version and test out the product.

    I hope this works well for you.


    • Edited by jeorge book Friday, November 23, 2012 7:26 AM
    •  
     
  • Friday, November 23, 2012 8:15 AM
     
     
    Sign In to Vote
    0

    Hi,

    thanks for your reply. The dial-in property only affects dial-in connections. This is not what I was looking for! I'll have a look at the tool you were recommending - thanks for that,

    Michael

     
  • Friday, November 23, 2012 8:23 AM
     
     
    Sign In to Vote
    0

    Richard,

    I totally agree with you on trusting Domain, Enterprise Admins. But that was actually not my question. When you have a dedicated admin subnet and dedicated admin accounts, it would be a great security boost if you could say: my enterprise admin accounts can only logon to AD if their client is in this dedicated admin subnet. There is no reason for using domain/enterprise admin account from e.g. the office subnet! So if someone on a client in the office subnet does something like starting AD users and Computers and connect a DC as Enterprise Admin, this should simply not work!

    Hope I did cause more confusion :-)

    Regards,

    Michael

     
  • Saturday, November 24, 2012 3:54 PM
     
     Answered
    Sign In to Vote
    1

    Anything you do to restrict where an admin user can logon, or what applications they run, can be reversed by an admin user. While you can't prevent this activity, maybe you could "encourage" them not to do these things.

    There certainly is no easy or builtin functionality for this. However, you could give them a logon script that checks the subnet. If the subnet is "office", either logoff or display a message. Or you could apply a group policy that prevents the user from running ADUC. Maybe you can have this policy apply when they logon to a computer in the "office" site, but not the "admin" site.

    Richard Mueller - MVP Directory Services

     
  • Monday, November 26, 2012 1:29 PM
     
     
    Sign In to Vote
    0

    Hi,

    interesting suggestion - after thinking about it for sometime I came to the conclusion that running a logon script is probably not what I want - for two reasons:

    1) logon scripts only after interactive logon (right? could not 100% confirm that, but I don't think those scripts are executed when I make a network connect to a fileserver)

    2) logon scripts run on the client and not on the server. From what I read you can also suppress script execution if you control the client.

    However, Richard's idea pointed me in the right direction. Windows can execute scheduled tasks triggered by certain Windows event log events. Thus I can run a script whenever certain Kerberos / NTLM authentication events appear! This is a MacGyver style workaround and I don't think it is very practical but it is at least a nice idea!

    Thanks,

    Michael