I'm looking for advice on how to restrict helpdesk users from modifying their own Active Directory (AD) accounts and group memberships without interfering with their other permissions. Specifically, I want to block them from: 1. Changing their own AD account details, 2. Adding themselves or others back to the support group, and 3. Altering any group memberships. However, I want to ensure they can still perform necessary tasks like password resets and account unlocks. Has anyone successfully implemented such restrictions before?
13 Answers
Ensure you have a company policy guiding user management and access. Reinforce it, and if an employee disregards it a second time, termination may need to be on the table. Technical fixes can complicate the issue but won’t necessarily stop unauthorized changes.
It seems like they might have been given domain admin rights when they really only need a restricted role. You should reassess their permissions.
Sometimes a firm approach is needed. If you make examples out of a few, it may deter others. Just ensure it's a management issue and not overloading tech solutions.
Agreed, but remember, the principle of least privilege needs to apply here. Management shouldn’t shoulder this entirely.
Your title made me laugh! It's spot on.
Haha, I can't take credit for that — I think AI had a hand in it!
You might want to consider moving their accounts to a different OU with read-only access.
Using a tool like Adaxes can streamline the management of helpdesk tasks. It gives you granular control over what different accounts can see and modify, preventing them from making changes to their own accounts, and maintains logs of actions taken.
Our helpdesk uses Adaxes exclusively, and it ensures that they can make necessary changes without any admin access to the domain, which keeps things secure and monitored.
The simplest, and perhaps most effective, solution is to make this a company policy. At my workplace, any changes to one's own account or accessing personal access logs is grounds for termination. If you have a legitimate reason, you should submit a ticket like everyone else and let a colleague handle it.
That’s interesting! Why wouldn’t they be allowed to see their logs?
This is pretty standard in our industry too. Yes, you can access and edit your records, but if you do it without a valid reason, you’ll face disciplinary action.
A good approach is to create special accounts just for helpdesk members. These accounts should be restricted to certain Organizational Units (OUs). Keep their normal accounts separate for email and other tasks. Place sensitive groups in another OU and remove helpdesk access. And definitely enable auditing to keep track of any changes made.
That’s true, but remember, if they can access their normal accounts, they might still be able to modify those. If you can’t trust them not to exploit this, then maybe they shouldn’t be on the helpdesk to begin with.
Thanks for the tip, I’ll give this a shot!
The best way to manage helpdesk users is to implement a tiered account system. They should have one account for regular use and another with limited privileges for AD tasks. This second account should have very restricted rights, specifically allowing no modifications to their own accounts or any privileged accounts. Organize your OUs to secure sensitive accounts and explicitly deny modifications to their personal accounts when using their admin access.
Appreciate the guidance! I’ll look further into this.
This strategy sounds solid!
Consider delegating rights for a specific helpdesk group on user OUs and removing their domain admin rights. The ideal situation would involve creating dedicated accounts for AD access that have precisely defined permissions.
Implement a tiered account system. Those who need permissions to modify objects in AD should have a separate privileged account, with access restricted to necessary changes only. Place these accounts in a secure OU where helpdesk users won't have any elevated permissions. Changes will need to be performed by a higher-level account, like a Domain Admin.
Look at using Restricted Groups through Group Policy to enforce this.
Just leave a stick near them and watch the fun unfold! Not a fix, but definitely entertaining.