I'm curious about the practices people follow for workstation, desktop, and laptop Active Directory (AD) administrator usage. Specifically, I'm looking for alternatives to using domain admin accounts for tasks like installing software and local changes. To clarify, I'm not referring to the primary Domain Administrator account, but rather a user account that has domain admin privileges.
Currently, our IT team maintains two AD accounts: one for everyday tasks and another for server and workstation administration. However, security experts now suggest that allowing domain admin accounts to log into workstations for software installations could expose cached information, making them targets for malicious activities.
We've implemented LAPS, but it's not always syncing properly on laptops, which complicates access to our software repository. We also have our local Administrator account disabled, and to maintain auditing clarity, we avoid shared domain accounts. I had read about a built-in AD workstation account that might serve as a template for permissions, but I can't find that information anymore.
I'm leaning towards creating a third AD account specifically for workstation usage, with limited access restricted to the workstation Organizational Unit (OU). I'd love to hear what setups others have in place and any tips from your experiences!
5 Answers
Ideally, you should have a few different accounts for different levels of admin access. This could mean having a standard account for daily tasks and separate credentials for workstation and domain administration to minimize risk. Yes, it might feel like a hassle, but it really does help in the long run!
Totally! It feels like a lot of work, but dealing with breaches afterward is way worse.
I recommend checking out access control models. You want to keep your highest privilege accounts off regular workstations to avoid risks. It's also essential to maintain separate accounts for admins to reduce the chance of privilege escalation. The Microsoft guidelines on tiered access models might be worth a read!
Thanks for the links! I'll dive into those guidelines, they seem really helpful.
Yeah, understanding those models can really help with setting up permissions effectively.
In our setup, we use separate accounts for different tasks. Our IT team has a daily account like [email protected] for regular use and a separate local admin account named [email protected] for workstation tasks. It helps us keep things secure and organized.
That's cool! So does that mean your separate admin account has access to both workstations and servers?
Yeah, that's how we operate too! We're considering adding something similar for additional security.
In our environment, we rely on a high-privilege security group that grants local admin access to workstations and servers through Group Policy. This way, we limit what our admin accounts can do and prevent them from changing critical things in the domain. It keeps our environment safer without complicating access too much.
Nice approach! Sounds much safer, and keeping admin accounts limited definitely reduces risks.
Right! That's a great way to ensure that if an account gets compromised, it won't lead to a total disaster.
We've set up a system where accounts have different permissions based on their roles. Our workstation admins can only access workstations, while server admins are kept to servers. It allows us to manage everything better and prevents unnecessary risks.
Such a layered approach does sound smart! Do you find managing those accounts easier with a system like LAPS?
It certainly sounds like a better way to reduce exposure! I might have to rethink our strategy.
Agreed, segregating duties is key! Keeps everything clear and secure.