How to Delegate Privileges to Safely Manage Domain Controllers and Active Directory

Russell Smith, Security Expert, IT consultant

About this White Paper

Download this White Paper and Learn How to Delegate Privileges to Safely Manage Domain Controllers and Active Directory

It would be an understatement to say that welcoming a new member of the IT staff on board by adding them to the Active Directory Domain Admins group is a potential security hazard. And no matter what the longevity of a staff member or the seniority of their position, granting permanent access to privileged AD groups is always a bad idea.

But in spite of the well-understood risks of using administrative privileges, best practice advice from security experts, and the work Microsoft has undertaken to make Windows easier to use as a standard user, organizations often persist in granting administrative privileges to IT staff to expedite system access. However, with a little planning, Active Directory can be effectively managed without domain admin privileges.

It’s worth remembering that there’s no ‘local administrator’ account on a domain controller, and that access to Active Directory can be separated from administrative access to domain controllers. To get the equivalent of local administrator privileges on a domain controller, a user must be granted domain administrative privileges, which also gives unrestricted access to AD and to all DCs in a domain.

In this white paper, BeyondTrust looks at best practices on how to manage access to domain controllers (DCs) and Active Directory (AD) without permanently assigning domain administrative privileges to IT staff.

document

Russell Smith, Security Expert, IT consultant

Windows & IT Security Expert
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to being a Contributing Editor at the Petri IT Knowledgebase and is an instructor at Pluralsight. Russell has more than 13 years of experience in IT, and has written a book on Windows security, co-authored one for Microsoft?s Official Academic Course (MOAC) series, and was a regular contributor at Windows IT Professional magazine.