No announcement yet.

Restricting Domain Admins ability to edit Global Group Membership

  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricting Domain Admins ability to edit Global Group Membership

    Hi There,

    I was googling the above issue when I found these forums through a similar post on these forums however it came close to our issue but not exactly.

    In our organisation we have way too many Domain Admins on the network, we've been fighting within the IT Department for many years about reducing the number of Domain Admins but like so many other things politics maintains the status quo.

    However we have a system where only the Access Management team has the authorisation to make changes to Global Group membership. Global Group membership is how we control access to virtually everything and only after a process of two approvals by two levels of management are any global groups be added to a user. However because so many people within IT have Domain Admin, they technically have the ability to add people to groups but they shouldn't be doing it. But as you've probably guessed at this stage, they do make changes to the groups.

    We have a reporting utility that sends us emails when people outside of the Access Management team make changes to Global Group membership so that we know who changes what and when. However it has happened too many times now and we want to take action.

    If they're not willing to examine what permissions they need to have instead of Domain Admin, then we want to prevent them from making group membership changes.

    I know a group can be made which will grant the ability of adding global group membership and therefore a group can be made which would deny that access to people, but if I apply that group to an account which has Domain Admin, would that stop the account from changing any Global Group membership?

  • #2
    Re: Restricting Domain Admins ability to edit Global Group Membership

    You can mess around with deny permissions but bottom line is if they're Domain Admins there's nothing to stop them from taking control back and doing what they want.

    The real solution is using the principle of least privilege.

    Network Consultant/Engineer
    Baltimore - Washington area and beyond


    • #3
      Re: Restricting Domain Admins ability to edit Global Group Membership

      take domain administration off everyone. full stop.
      have a proper "administrator" account, thaty noone can access.
      create a second one as a spare key, if you so desire.

      all the other "domain admins" - work out what they need access to.
      then create a new "admin" account for them, Ie, you;d have TehCamel and TehCamel_Administrator
      the normal user account has no special privileges
      the _Administrator account belongs to various groups, depending on what their responsibilities are (ie, datamanagers wouldn't need access to amend sites and services)

      then delegate rights to the appropriate groups, based on what they need.
      ensure that onl your Identity Access team, can add people to the administrator groups

      Please do show your appreciation to those who assist you by leaving Rep Point