How to Delegate Privileges to Safely Manage Domain Controllers and Active Directory

Russell Smith

Get Access to Russell Smith's Latest Active Directory White Paper

It would be an understatement to say that welcoming a new member of the IT staff on board by adding them to the Active Directory Domain Admins group is a potential security hazard. And no matter what the longevity of a staff member or the seniority of their position, granting permanent access to privileged AD groups is always a bad idea.

But in spite of the well-understood risks of using administrative privileges, best practice advice from security experts, and the work Microsoft has undertaken to make Windows easier to use as a standard user, organizations often persist in granting administrative privileges to IT staff to expedite system access. However, with a little planning, Active Directory can be effectively managed without domain admin privileges.

It’s worth remembering that there’s no ‘local administrator’ account on a domain controller, and that access to Active Directory can be separated from administrative access to domain controllers. To get the equivalent of local administrator privileges on a domain controller, a user must be granted domain administrative privileges, which also gives unrestricted access to AD and to all DCs in a domain.

In this white paper, BeyondTrust looks at best practices on how to manage access to domain controllers (DCs) and Active Directory (AD) without permanently assigning domain administrative privileges to IT staff.