locked
OU for administrative accounts - Security RRS feed

  • Question

  • Our AD environment was designed to have our administrator accounts (ie. the accounts the Helpdesk team uses for logging into servers/workstations/etc) in a separate OU from everything else. Permission to this OU was then really locked down. Authenticated users can't even READ for this OU.

    A sub-OU was then created to host service accounts we make. It looks something like this:

    OU=Admin Accounts,DC=company,DC=com
    OU=Service Accounts,OU=Admin Accounts,DC=company,DC=com

     

    As we start to put clustering in place, this is posing an issue. For example:

    Microsoft-Windows-GroupPolicy(1101 - None): The processing of Group Policy failed. Windows could not locate the directory object OU=Service AccountsOU=Admin AccountsDC=companyDC=com. Group Policy settings will not be enforced until this event is resolved. View the
    event details for more information on this error.

    I'm thinking that there's no real point in hiding this OU and the members, but before I open up access, does MS have any specific guidance on segregating Admin/Service accounts and the security settings that should be used?

    Thanks,

    Greg

    I should note that we only have internal users (company staff) in our AD. Thanks for reminding me to clarify this, Paul.

    Tuesday, May 21, 2013 11:43 AM

Answers

  • There are no special rules that are required.  I have hidden many ou's without an issue, I have used the list mode feature
    http://windowsitpro.com/active-directory/hiding-data-active-directory-part-3-enabling-list-object-mode-forest

    Not sure why you want to hide your objects and for internal users don't really see the need, but if you are servicing external users then I think it is a good idea to expose as little data/objects as you can.  I have built special groups that are the only ones that are allowed to see OU's and the rest of the users are only granted access to the OU's they need.  It took me quite a while to get it all worked out and I would post it but it is considered company confidential.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    Twitter @pbbergs
    http://blogs.dirteam.com/blogs/paulbergson

    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Tuesday, May 21, 2013 11:57 AM