I am trying very diligently to remove as many over-privileged accounts/roles in our Active Directory and Windows (server and desktop) environment. This means retiring as many users as possible from Local Admin and Domain admin roles. (This includes our own security team).
Like many organizations that are forced to comply with external regulations, we are required to maintain separation of duties.
One type of built-in role I would kill for in Windows would be the "Read-Only Local Admin" or "Auditor" role. There are multiple classes of users who should have rights to examine all settings, all file systems, and run all the standard tools that do not change the system. Two examples -- our security teams and auditors, who often need undeterred access to examine without the possibility (by chance or design) of altering settings. It could be useful for tools and service accounts that stupidly "require" Admin privileges, forcing us to research the "real" settings needed.
These users need to be able to act independently of the operational teams and and NOT rely on them or others to gather information about all system settings at the OS level.
In short -- I know nothing like this is built in. I'm looking for resources here --- for example, Powershell scripts, that we could run on servers as a baseline to pre-establish (as far as possible), the functional equivalent of the above.
Even a source listing of suggested settings or how to would be useful. I have many in mind (ACLS on disk, registry, shares), GPOs, etc, etc.
For the record, I did see the question: Is it possible to create a read-only user account for security auditing purposes?.
I'm hoping my post is distinct enough with enough explanation to attract more than the single response it received.
