active-directorySecurityuacwindows
At work, we've recently received a recommendation to have two separate accounts for domain administrators. One account would be a standard user account with no admin privileges and one would be a member of Domain Admins. While I can understand why this recommendation is being made, it seems like a royal pain as well.
I know that UAC manages this type of privilege escalation in a mostly transparent way. Is UAC or another solution capable of providing this level of protection?
This is odd, but I've got two avenues to try:
Grab a copy of Sysinternals Process Explorer and look at the security tab for a non-elevated process, is your group still being filtered out? I ask because apparently Whoami.exe is known to be buggy since Vista and up to at least the Windows 8 Release Preview (see Case of the unexplained: whoami.exe and the Deny flag).
What is the SID (or at least the RID) of you group? Is there any chance it is one of the built-in groups? Or it somehow got a low enough RID that LSASS thinks it's a built-in group? I don't know if that's even possible, but who knows... See the Access Token Changes section in New UAC Technologies for Windows Vista and Well-known security identifiers in Windows operating systems for more info.
And just out of curiosity, can you set a file or folder to allow access to only your group and see if it is truly being filtered out? This would potentially go towards option 1 above.
In a domain environment, you can grant access rights to computer accounts; this applies to processes running on those computers as LocalSystem or NetworkService (but not LocalService, which presents anonymous credentials on the network) when they connect to remote systems.
So, if you have a computer called MANGO, you'll have an Active Directory computer account called MANGO$, which you can grant permissions to.
Note: You can't do any of this in a workgroup environment; this applies only to domains.
Best Answer
Yes and no, it depends on your comfort with the risks involved. UAC definitely provides a layer of protection, akin to
sudoin the linux world. However, if you just get used to blindly clicking Yes on all UAC prompts then the protection is somewhat reduced. If your account is straight-up not authorized to perform those actions then the accidental dismissal of a UAC prompt is not a danger.Of course there are still dangers of being logged in under the domain admin account, but it's much more of an intentional action and you can separate the authorizations a lot more by having dual accounts. It also affords your organization an easier way to remove authorizations in the case that someone changes job function.