No announcement yet.

Restrict Access to Domain Admin/Admin Group for all

  • Filter
  • Time
  • Show
Clear All
new posts

  • Restrict Access to Domain Admin/Admin Group for all

    Hello Everyone,

    We have a pretty old setup which was managed by our client. They could manage anymore and they have outsourced the entire Datacentre to us.
    Everything is messed up right now. Nothing in place correctly and i have taken in charge of it to.

    Its a 5000-10000 User, 5 Forest with single domain each environment ( Yes 5 forests root domain). The company kept acquiring other companies and instead of making it a child domain, every company acquired has been made as a forest and forest trust is created among them.

    Every tom, dick or harry is having the access to the Domain Admin. Even a service desk guy has been added to the Domain Admin or other sensitive groups.

    First and the foremost thing i thought of making changes to the environment is to restrict the access of unwanted people to the DC and other servers and to give least access required to perform their work.

    How can i start achieving this. Need your help/suggestions as how should i plan to go ahead.

    Thanks in Advance

  • #2
    Re: Restrict Access to Domain Admin/Admin Group for all

    Document who has domain admin now
    Document what permissions they need
    Create new, properly scoped, groups
    Add users
    Remove from domain admin

    (the risk is that if you remove them from domain admins right now, they can't do their jobs properly)
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Restrict Access to Domain Admin/Admin Group for all

      Thanks Ossian.