Domain – Best Practice: What domain admin credentials to use when adding/joining computer to network domain

active-directorybest practicescredentialsdomainnetworking

Environment: 1 Win2008R2 Network Server (also domain controller) 13 or so Workstations.

Traditionally we've always used the server administrator credentials to join a workstation to a business domain network or 13 workstations. However we're now enforcing password policies and it's required that admin password will change regularly.

The network server admin account password was changed today as a result of this policy enforcement.

My network user account password that's used on my workstation also had to be updated.

I logged off my workstation and back in after being prompted to change the password. I was then required to enter Domain Admin credentials to access the domain. I suspect this was because the server admin account password was changed.

I had thought that as the workstation was already added to AD that it would be remembered, but the credentials still needed to be entered on the workstation.

So this had me thinking that there has to be a better/correct way to do this.

I thought I could create a Domain Admin user just for this purpose and set the password to never expire but I think that surely defeats the purpose in the first place of maximising security.

So what is the best way to do this.

I.E. When first adding/joining a workstation to a network domain, what Domain Admin credentials should be entered?

All of the articles and YouTube videos I've seen so far say to enter Administrator and it's password.

Please let me know if this requires further expansion.

Best Answer

Ideally, each technician/administrator should have at least two (if not more) accounts.

  • Standard Account (for daily non-administrative tasks)
  • Workstation Admin account (administrative access only to Workstations; delegated access to Workstation OUs in Active Directory, no access to servers)
  • Server Admin account (administrative access to servers and delegated access to Server OUs - no access to workstations)
  • Domain Admin account (administrative access to Active Directory; NO access to servers, NO access to workstations [except Secured Management workstations])
  • Other accounts as necessary.

Accordingly, the technician's Workstation Admin account should be used to join the computer to the domain. Shared accounts - should be used only in situations where no other option is available. Alternatively, I could see an option where an automated deploiyment tool (like SCCM or something) could leverage a dedicated account with no access other than that of joining computers to the domain in a dedicated OU.

In order for it to work properly (aside from the first 10 workstations joined), you can refer back to this article: https://support.microsoft.com/en-us/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con (an oldie but a goodie). In short the steps are

  1. Open Active Directory Users and Computers
  2. Right-click the Workstations OU, select Delegate Control
  3. Work through the wizard and delegate a custom task of Creating and Deleting selected objects in the folder; limited to only computer objects in the folder.
  4. Grant the Reset Password, R/W Account Restrictions, Validated write to DNS hostname, and Validated write to service principal name.

The trick is that the workstation admin account should be a member of a group of "workstation admins" from there all access and permissions should be granted to the workstation admin group.

Related Topic