none
Segmenting which IT admins can access various servers

    Question

  • Hi,

    We have a couple dozen servers in our environment and right now, all IT admins can access all servers because all IT admins are part of the Domain Admins group and every server has "Domain Admins" as part of the local Administrators group on that server.  Or at least that is how the permissions are being granted from what I can tell.

    But I would like to change it so that this is split between senior admins and regular admins.  This is what I would envision:

    - These groups in AD:

    - Senior Admins

    - Regular Admins

    and then for the servers:

    - Critical Servers (or something to denote domain controllers, Exchange server etc)

    - Non-Critical Servers (file servers, utility servers etc)

    Then the IT people get put into the first 2 groups and the servers go into one of the server groups

    Then I suppose that one of the two server groups goes into the local Administrators group on each server so that each person can RDC into the servers that they need to work on and have full rights to work on that server.

    Is this the correct way to do this or is there something built-in within AD groups to do the same?

    Thanks.

    Thursday, June 14, 2018 9:54 PM

Answers

  • Removing Domain Admins from the local administrators group on domain joined machines is likely to cause all sorts of trouble for regular domain operations.

    A better solution is to remove all of your IT admins from the Domain Admins group.  Then create your two admin groups (Senior and Regular) and place only the Senior Admins group into the Domain Admins group.  Place all other admins into the Regular Admins group.  That way you are not mucking around with the built-in Domain Admins group and how it is used in a domain environment.

    The only thing to remember here is that as a user with admin privileges, a knowledgeable user can always elevate their privileges.  So you will need some auditing and personnel policies in place to ensure consequences if a privileged user mis-uses their privileges.


    tim

    Friday, June 15, 2018 12:35 PM

All replies

  • Hi,

    Thanks for your question.

    Yes! We could implement your desired by the following steps.

    1 Create two groups for Senior Admins and Regular Admins in AD.

    2 We need to remove the domain group domain admins from local group administrators both on the critical servers and non-critical servers as below.

    3 Then, we add the group senior admins to local administrators of critical servers, and add the group regular admins to local administrators of non-critical servers.

    4 If there are many servers in the domain and we’ll need to configure each server, we could create a GPO for these servers as the following shows. By the way, we need to applied to the target groups.

    Hope above information can help you.  If you have any question and concern, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, June 15, 2018 9:41 AM
  • Removing Domain Admins from the local administrators group on domain joined machines is likely to cause all sorts of trouble for regular domain operations.

    A better solution is to remove all of your IT admins from the Domain Admins group.  Then create your two admin groups (Senior and Regular) and place only the Senior Admins group into the Domain Admins group.  Place all other admins into the Regular Admins group.  That way you are not mucking around with the built-in Domain Admins group and how it is used in a domain environment.

    The only thing to remember here is that as a user with admin privileges, a knowledgeable user can always elevate their privileges.  So you will need some auditing and personnel policies in place to ensure consequences if a privileged user mis-uses their privileges.


    tim

    Friday, June 15, 2018 12:35 PM