1

Environment: 1 Win2008R2 Network Server (also domain controller) 13 or so Workstations.

Traditionally we've always used the server administrator credentials to join a workstation to a business domain network or 13 workstations. However we're now enforcing password policies and it's required that admin password will change regularly.

The network server admin account password was changed today as a result of this policy enforcement.

My network user account password that's used on my workstation also had to be updated.

I logged off my workstation and back in after being prompted to change the password. I was then required to enter Domain Admin credentials to access the domain. I suspect this was because the server admin account password was changed.

I had thought that as the workstation was already added to AD that it would be remembered, but the credentials still needed to be entered on the workstation.

So this had me thinking that there has to be a better/correct way to do this.

I thought I could create a Domain Admin user just for this purpose and set the password to never expire but I think that surely defeats the purpose in the first place of maximising security.

So what is the best way to do this.

I.E. When first adding/joining a workstation to a network domain, what Domain Admin credentials should be entered?

All of the articles and YouTube videos I've seen so far say to enter Administrator and it's password.

Please let me know if this requires further expansion.

PeteB
  • 11
  • 1
  • 4
  • 1
    Is this for business/corporate? Or is this a home network? – Tim_Stewart Apr 27 '18 at 15:17
  • 1
    @Tim_Stewart The question is tagged "domain" and the context further confirms it is very likely a corporate or managed network. – music2myear Apr 27 '18 at 15:32
  • @music2myear, I figured. I flagged this before I saw you had answered. Wouldn't this be off-topic for su per the help section? I definitely interpreted this question as relating to administration in a corporate/Enterprise environment. The reason I asked is because I use LDAP at home and wanted to confirm the suspicion. Regards, – Tim_Stewart Apr 27 '18 at 15:53
  • @Tim_Stewart business network. If this is off topic then I'm sorry I ended up here after Google searching and found similar topics and answers. I shall read the help section now. – PeteB Apr 27 '18 at 16:35
  • A better, clearer, and more specific form of this question may gain more authoritative answers over at ServerFault. The question is also more of a policy question rather than solution request as it is currently written. – music2myear Apr 27 '18 at 16:38
  • Is indeed not suitable for discussion as it's a business network (although small). I have voted to delete. Sorry guys. I'll look elsewhere. Thanks anyway. – PeteB Apr 27 '18 at 16:39
  • @peteB, no worries. I believe it's the server fault community that deals with corporate/Enterprise. You will probably get much more articulate answers there regarding administrative policies, as it seems to be a community of engineers/administrators. This community deals mainly with personal computing and personal/home networking. Best regards, – Tim_Stewart Apr 27 '18 at 16:41
  • Well, it's not a particularly strict rule, and I think the root issue isn't whether this is a domain issue or not. The real issue is that this is a pretty basic question for domain setups. @PeteB what is your role? Are you responsible for this stuff, or are you part of a larger IT org? Are you just learning the ropes, new to IT or this sort of setup? Rather than asking in SF, I'd highly suggest re-reading for clarity the published documentation about how domains work. Let me know if my updated answer below clarifies anything for you. – music2myear Apr 27 '18 at 16:48
  • The point of the different communities isn't necessarily to raise high walls, so much as it is to get you to the place where you're most likely to get a good answer from people familiar with the details of your question. – music2myear Apr 27 '18 at 16:48
  • I'm solely responsible for the network. I'll update the question for completeness even though it'll get deleted but I can at least copy and paste to serverfault. – PeteB Apr 27 '18 at 17:07
  • So, your DC is the only server whose local account is important. But it is the account, not the password, that is important, and the password changing does not affect the function of this account. All other important accounts on the domain can be domain accounts. Local accounts can be disabled and left so, and the changing of domain passwords will in no way affect the authentication or function of your domain except in cases where an application needs set credentials to access another resource, but these are generally insecure designs anyway and should be avoided it at all possible. – music2myear Apr 27 '18 at 17:23
  • You probably saved your credentials on the workstation, and you have your sharing and NTFS permissions setup wrong on the server. Whatever it is, it has absolutely nothing to do with what user account was used to join the domain nor changing the password of said account. If you saved credentials that are different than your currently logged on user account, and are using that credential to access a file share, then subsequently changed the password of that account or expired the password, then the answer is obvious. – Appleoddity Apr 28 '18 at 05:56

3 Answers3

2

Ideally, each technician/administrator should have at least two (if not more) accounts.

  • Standard Account (for daily non-administrative tasks)
  • Workstation Admin account (administrative access only to Workstations; delegated access to Workstation OUs in Active Directory, no access to servers)
  • Server Admin account (administrative access to servers and delegated access to Server OUs - no access to workstations)
  • Domain Admin account (administrative access to Active Directory; NO access to servers, NO access to workstations [except Secured Management workstations])
  • Other accounts as necessary.

Accordingly, the technician's Workstation Admin account should be used to join the computer to the domain. Shared accounts - should be used only in situations where no other option is available. Alternatively, I could see an option where an automated deploiyment tool (like SCCM or something) could leverage a dedicated account with no access other than that of joining computers to the domain in a dedicated OU.

In order for it to work properly (aside from the first 10 workstations joined), you can refer back to this article: https://support.microsoft.com/en-us/help/932455/error-message-when-non-administrator-users-who-have-been-delegated-con (an oldie but a goodie). In short the steps are

  1. Open Active Directory Users and Computers
  2. Right-click the Workstations OU, select Delegate Control
  3. Work through the wizard and delegate a custom task of Creating and Deleting selected objects in the folder; limited to only computer objects in the folder.
  4. Grant the Reset Password, R/W Account Restrictions, Validated write to DNS hostname, and Validated write to service principal name.

The trick is that the workstation admin account should be a member of a group of "workstation admins" from there all access and permissions should be granted to the workstation admin group.

Semicolon
  • 1,775
  • 8
  • 7
1

Updated answer based on corrected/edited question

Once a computer has been joined to a domain it does not have to re-join the domain. Once an administrator account has confirmed the system is to be added to the domain, you could delete that admin account and it would have no impact on the computer added using that account.

I'm not sure where the wires are getting crossed in your understanding, but they are crossed.

The trust relationship between the domain and its member computers is NOT predicated or dependent on the administrator accounts used to authenticate the various systems together.

Previous answer, based on original question:

There are many ways to solve this, some of them good and properly security-minded, and some of them not. For that reason, this question really deserves more of an open-ended discussion format to fully flesh out. However, here's two methods I'm familiar with:

  1. Each technician of appropriate responsibility has two domain user accounts, one regular user that they use to login to their own computer and do most of their day-to-day tasks with, and another account that has domain admin permissions which they use to open the tools and perform the tasks that require this. The administrator account has higher security requirements, longer password, and more frequent changes. But it belongs to the specific technician.

  2. When domain admin permissions are required, a form is submitted specifying the need and time required. Temporary credentials are issued with permissions limited to the particular requirements. These are then deleted once the task is completed.

There are situations where each of these may be appropriate. The easiest method though is to have two sets of credentials for technical staff and they are then each responsible for using them appropriately.

Also, creating shared credentials is a terrible, horrible, no-good, very bad idea. Making their password to never expire makes it even worse. I don't know what your background or experience is, but from the context of your question I'm guessing you're not in a position of authority in your organization, and you should really talk to those who are about the best way to go about balancing security and convenience.

music2myear
  • 1,905
  • 3
  • 27
  • 51
  • Hey thanks for the info but not sure you understand the question (could be my fault for being being concise enough). I'm not referring to sharing credentials for logging into the computer. I'm referring to adding a workstation to a windows network domain. When joining a domain you're asked for domain admin credentials. Most sources state entering administrator details. I don't think this is appropriate especially as administrator passwords should be changed regularly which would mean having to rejoin the network everyone the admin password is changed. – PeteB Apr 27 '18 at 16:29
  • Then please edit the question to make it more clear. – music2myear Apr 27 '18 at 16:33
  • Ok, yea, that is not what I understood from your question at all. Please edit your question adding this information and I shall edit my answer to correct it. – music2myear Apr 27 '18 at 16:39
0

Commonly, the users who can add a machine to an Active Directory Domain are members of the Domain Admins Active Directory user group.

However, non-Domain Admins can add machines as well, if given the proper permission. Some companies might not want Help Desk technicians to have Domain Admin privileges, but do want them to able to join machines to the domain. With the proper permissions, this can be accomplished. See this Microsoft article for more information.

Keltari
  • 320
  • 3
  • 12
  • So (as advised in that article) delegate via AD Computer Object to a user (mine or an account specifically for the purpose for example) and use those credentials to join workstations to the domain? – PeteB Apr 27 '18 at 18:04
  • @PeteB Are you in charge if your domain? if so, just put yourself in the domain admins group, if you arent there. Thats all you need. Assigning permissions should only be done if necessary, as it complicates things. – Keltari Apr 27 '18 at 18:20
  • `However, non-Domain Admins can add machines as well, if given the proper permission` - By default, Authenticated Users can join up to 10 machines to an AD domain. Users do not need to be explicitly granted the right to do so. – joeqwerty Apr 27 '18 at 19:00
  • @Keltari - yes solely responsible. – PeteB Apr 27 '18 at 19:41
  • @PeteB then just put youself in domain admins group, then your account will be able to join domains – Keltari Apr 27 '18 at 19:43
  • @joeqwerty - I read that too but I'm not sure I want other users to be able to and may lock it down. I don't think they'd even know how to but that's the sort of thing that keeps me awake a night sometimes! – PeteB Apr 27 '18 at 19:43
  • @PeteB there is a disconnect here. other users CANT add machines to the domain. Not unless they are domain admins (in which they should be able to) or you implicitly gave them permission to do so. – Keltari Apr 27 '18 at 19:45
  • @joeqwerty I'm reading that in the article and scratching my head. Does that mean the default configuration of a Microsoft Domain is that any Authenticated User can add computers to a domain? I assume in most domains that is quickly changed to something else, and may be the default to allow initial configuration of the domain before different roles exist, while it is still being built. – music2myear Apr 27 '18 at 20:41
  • @music2myear, yes any authenticated user (by default) can add up to 10 computers to a domain. From one point of view - there's little harm, if set up properly joining a computer to a domain just subjects it to the whims and control of those in control of the domain; on the other hand, you don't necessarily what anybody adding stuff to the domain - even though you can control where and which policies the new computer is subejct to. – Semicolon Apr 27 '18 at 20:59
  • It was just surprising at the outset. Thinking of it now I can see that it makes sense for this to be the default position, allowing quick setup of a new domain easily. Adding computers isn't as big an issue as removing them, and correct policy should be able to protect against malicious actors anyway. And there's likely the assumption that most domains would change this to Domain Admin only once they'd gotten things up and running. – music2myear Apr 27 '18 at 21:13