7

In our Windows environment, our Domain Admins only have one user account. This single user account is used across the board including running on a day to day workstation. In our transition away from this practice, we are looking for best practices on how we should setup Domain Admins moving forward.

The obvious first step is to default to low privilege accounts and escalate applications as required. As this is the first time we are moving to this setup we are unaware of what things we should look for and what changes we should make. And on a wider scale how does this affect us being SharePoint Admins? Office 365 Admins? etc..

What resources are out there, or can you provide?

EEAA
  • 109,363
  • 18
  • 175
  • 245
Mark
  • 71
  • 1

2 Answers2

8

I'm going to take the opposite tack as @TheCleaner.

Those Domain Admin accounts' password hashes are probably laying all around your network, just waiting for a pass-the-hash scenario. Because of that, I'd recommend you remove those accounts from Domain Admins immediately, and start using them as limited users. (You should still change the passwords, too.)

This method also has the distinct advantages of not requiring any profile "voodoo" and, hopefully, not changing any permissions on resources like home directories, which should have had the user named anyway. This preserves Excahnge mailboxes in-place, too.

Create new Domain Admin-member accounts with logon restrictions limited to only the Domain Controller computers. These accounts should never be used for anything other than logging-on to Domain Controller computers to limit the exposure of their password hashes.

This is going to be a tough transition, and you're going to run into things that were working on client computers only because your user accounts were implicitly members of the local "Administrators" group. You can probably make this pill a little easier to swallow by using another group nesting (say, "Former Domain Admins") to give these accounts local Administrator rights. Eventually you'll want to move away from that, too.

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • +1 - I agree with this in concept, I was just looking at it in terms of "what is less painful for the company". He has multiple domain admins, Sharepoint, etc...so I'll presume it isn't a small company. So to put the "pain points" onto the admins instead of the rest of the company when they forget about where all those accounts are running scripts, services, portal logins, Sharepoint Central Admin stuff, etc. Mark would need to decide if the hash risk is worth it or not. Your answer in reverse would likely be ideal. Create new admin level accounts, put them in place of the old accounts... – TheCleaner Nov 13 '14 at 13:59
  • such as where admin level account access is needed, create Managed Service Accounts, get everything working under the new accounts properly while creating at the same time low-privilege accounts the user can use on their workstations. Work to remove 1 or 2 of their "admin level old accounts" each week and eventually you'll get them all removed without a mass disruption. – TheCleaner Nov 13 '14 at 14:02
5

Here's my quick recommendation...since you can easily work "backwards" at this point to get what you want.

  1. Rename the existing accounts in AD to something like "Mark-Admin". Change their display name and user logon name (username). The SID will stay the same so it's similar to having someone go from their maiden to married name in essence. All permissions, etc. everywhere stay the same.
  2. Create each of them new low privilege accounts now called "Mark" (whatever their old normal username was that they were used to using). Give these accounts permissions to their Home folder and/or whatever else permissions this normal account needs access to. You'll also need to transfer over Exchange/email system information (email addresses, etc.) from the old to this account as well. Keep in mind that their email address is likely used as login information for O365 or other portals if you aren't using SSO.
  3. Remove any permissions that "Mark-Admin" no longer needs access to, if any.
  4. Use a tool such as ForensIT Profile Wizard on their workstation to migrate their profile from the old SID (now Mark-Admin username) to their new SID (Mark)...giving them back their desktop/profile/etc. as if they'd always used it on that account.
  5. For logons/authentication portals that didn't offer SSO (possibly your O365, Sharepoint, etc.) then you'll need to update these somehow. For instance with O365 if you aren't syncing with AD, then you'd need to update it directly, either creating a new account or modifying the existing account's rights. This will be based on your setup. For example, if they are currently signing in with email address then that address would obviously transfer to their low privilege account (Mark) and you'd need a different address setup for Mark-Admin.
  6. Profit
TheCleaner
  • 32,627
  • 26
  • 132
  • 191