Limited Access to Domain Controller for Active Directory Administration

active-directorygroup-policyremote-accesswindows-server-2012-r2

I have to provide a group Jr. Sys Admins limited access to a domain controller for the purpose of limited Active Directory User and Group administration (i.e. user creation, password reset, etc.) I have implemented delegation to limit the scope of tasks the Jr. Sys Admins may execute on the Active Directory. Some of these users use macOS, so using Remote Server Administration Tools like one might use on a Windows machine is not an option for them.

As such I would like to give them RDP access to a domain controller. I'd like them to be able to open Active Directory Users and Computers (without prompting for administrator credentials) but limit their access to the remainder of the system as much as possible. Note: I may need to give them access to a few other items for other related job responsibilities.

  • What is the best way to accomplish this?
  • If imposing restrictions via Group Policy is the best method, what is the most efficient way to construct a policy that would accomplish my stated objective?

Best Answer

I believe I was able to achieve the desired results through a combination of configurations.

  1. Created OU for "Limited AD Administrators"
  2. Created a first user account in above captioned OU
  3. On my "Company Users" OU I delegated access to the user account for: create, delete, manage user accounts, reset passwords, read all user information.
  4. On my "Company Groups" OU I delegated access to the user account for: modify the membership of a group.
  5. On Domain Controller, in Local Security Policy > User Rights Management > Allow log on through Remote Desktop Services: added the user account.
  6. Added the user to the "Backup Operators" built-in group. This provides sufficient privilege to open Active Directory Users and Computers.
  7. Created a GPO and linked it to the "Limited AD Administrators" OU with the following restrictions:

Run only specified Windows Applications: dsa.msc, mmc.exe

Prevent access to the command prompt

Prevent access to registry editing tools

Remove and prevent access to the Shut Down, Restart, Sleep and Hibernate commands

Related Topic