this post was submitted on 23 Jan 2024
1 points (100.0% liked)

Sysadmin

12 readers
1 users here now

A reddit dedicated to the profession of Computer System Administration.

founded 2 years ago
MODERATORS
[email protected]
1
Active Directory delegation best practice (zerobytes.monster)
submitted 11 months ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 
This is an automated archive.

The original was posted on /r/sysadmin by /u/Simple_Click8989 on 2024-01-23 08:22:18+00:00.

Good morning,

Hope you admins are all well, I would be really grateful for some advice on my AD delegation setup that in its current form is a mess which I have come into and would really like to get sorted for the team. Its a team of 6 with two in first line, two in second line and two in infrastructure.

We have the following accounts in our environment which I have now setup,

Daily driver account (everyone has this, not any kind of admin)

WA account - workstation local admin in the local admin group on all endpoints (1st line/2nd line and infrastructure have this)

SA account - server local admin in the local admin group on all servers excluding DCs (2nd Line and infrastructure have this)

DA account - domain admin account that can only be logged into DCs with (infrastructure only have this)

What I would like to do is now delegate roles in AD to only allow the minimum access to active directory users and computers to carry out tasks. I guess my first question would be which accounts are best to use to administer active directory users and computers from the ones I have created above?

I have created the below structure at the root of the domain.

Admin Accounts

DA accounts

Server admins

Workstation admins

Infrastructure will have access directly on the Admin accounts OU to reset passwords/unlock accounts and create new users when required.

First line will have access to unlock accounts in only the workstation admin OU

Second line will have access to unlock accounts in only the workstation admin and server admins OU

The next OU is the employee OU

Employees

Site A

Site B

Site C

First Line have access to reset passwords/unlock accounts and create new users directly on the employees OU

Second line have same access as first line

Infrastructure has the same as second line but also have the ability to delete users

The last OU is Endpoints

Endpoints

Workstations

Servers

Only Infrastructure have access to delete any objects in these OUs. New objects can be created by our MDT user account to join new machines to the domain as part of the image process (this account only has the domain join privilege)

This is how I have started to look to delegate, appreciate any advice on how I could look to do it better to keep it as clean as possible.

Thank you admins

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here