Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • Delegating Privileges to Domain Controllers and Active Directory without the Security Risk current page
Link copied

Delegating Privileges to Domain Controllers and Active Directory without the Security Risk

Jul 13, 2016
Author:
Jason silva beyondtrust headshot 300x300
Jason Silva
Principal Solutions Architect
Blog banner default
Delegating Privileges to Domain Controllers and Active Directory without the Security Risk
Jason silva beyondtrust headshot 300x300
Jason Silva
Principal Solutions Architect

As security professionals, we know that granting IT admins access to the domain admins group is a risk, especially considering that Microsoft has made it ever-easier to manage Windows as a standard user. However, you’d be surprised at how often we run into that use case in the field.

Fortunately, there are native capabilities available in Windows Active Directory to help you delegate privileges without granting admin to DCs and AD. This blog explores some native Active Directory security steps to take advantage of, and what commercial options there are to help in your efforts.

Download 'How to Delegate Privileges to Safely Manage Domain Controllers and Active Directory' today.

7 Steps to Take to Improve Control Over Domain Admin Privileges in Active Directory

  1. Audit privileged AD groups. The first step is establishing which accounts have been added to the domain admins, enterprise admins or schema admins groups in AD.
  2. Isolate DCs. Utilize virtualization as much as possible to isolate DCs from other server roles and applications like Exchange.
  3. Use read-only DCs. These RODCs contact a writeable DC for user authentication and don’t store account credentials locally. This means that if a RODC were compromised, no changes can be made and replicated to other DCs in the domain.
  4. Use accounts specifically reserved for the purposes of DC support. Set up a process for issuing access to the domain admin account, which should be centrally stored and rotated on a regular basis.
  5. Consider PowerShell Just-Enough Administration (JEA). JEA allows organization to granularly restrict access to servers, limiting the cmdlets, modules and parameters that can be executed.
  6. Use Just-in-Time Administration (JIT) – Windows Server 2016. In this feature, shadow groups are created in a bastion forest and when access to a resource in AD is required, a secondary account for the user is added to the shadow group and removed after a given time.
  7. Utilize organizational units to group AD objects for management purposes. Since each OU can be managed by a different set of GPOs or delegated permissions, it’s possible to separate privileged AD accounts, service accounts, etc. so they can be managed with finer-grained password policies. The Delegation of Control Wizard in ADUC allows privileges to be assigned to an AD group for each OU. Restricted Groups can be used to define and enforce membership of built-in AD groups.

Simplifying the Enforcement of These Steps

BeyondTrust offers options to help you simplify the implementation and enforcement of these best practice steps.

Windows Delegation and Command Elevation

Focused around the concept of least privilege, a security model of providing users Just Enough Rights (JER) to perform the tasks and duties related to their roles, Privilege Management works by installing an agent on a Windows Server or client. Using a centralized console, rules are delivered, (to all or a subset of nodes) that control the permissions and privileges a process has, or prevent them altogether.

Shared Application Password Management

At times, true administrator (Local or Domain) access will be needed. Manually controlling which accounts have these rights, which users have the credentials for these accounts, and passwords for these accounts is highly prone to security and user error. Password Safe manages enterprise credentials by randomly generating and cycling them by schedule or upon release. Users are associated with access policies, determining under what situations they should be allowed a remote session to Windows, Unix/Linux or network devices. Remote sessions can be recorded, providing a full video playback with keystroke logging.

AD and Group Policy Change Auditing

BeyondTrust Auditor maintains a constant, real-time audit of activities within Active Directory. This includes monitoring permissions, changes to structure, even protections against unauthorized changes. A full audit report is provided along with the ability to roll back changes made at any point in time.

Want more best practice guidance on securing AD and Domain Controllers? Check out the complete white paper, written by myself and IT & Security Expert, Russell Smith.

Download 'How to Delegate Privileges to Safely Manage Domain Controllers and Active Directory' today.

Latest Posts
  • Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Jun 12, 2026 Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Blog
    7m
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
Related
  • Taking PAM Back to the Basics: Privileged Password Management
    Jun 28, 2021 Taking PAM Back to the Basics: Privileged Password Management
    Blog
    1m
  • Privileged Session Monitoring: If You See Something, DO Something
    Jun 29, 2016 Privileged Session Monitoring: If You See Something, DO Something
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.