Restricted AD Groups for Local Admins


Create a domain security group that manages local administrators.  This process allows domain users (i.e., non-domain administrators) to administer computers. 


System Administrators log onto workstations and servers with their domain admin account.  Casual use of domain administrator accounts put the entire organization at risk of compromise from malware, keyloggers, and hash attacks.

Additionally, attackers may compromise services or scheduled tasks run with local system privileges.  This can provide a foothold that compromises the system. 


Prevents network administrators from using their Domain Admin accounts for general purposes.  Implement a general purpose administrative account.


Implement GPO restricted groups provide administrator (i.e., non-domain admin) to manage computers. Steps:

  1. Create new security group in AD.  This group will be used to manage computers.  Add domain users to this group as needed.
  2. Create Restricted Group GPO.

    Computer Configuration\Policies \Windows Settings\Security Settings\Restricted Groups\

  3. Right click on Restricted Groups.  Left click on Add Group. 
  • Members of this group (i.e., domain group):  New AD security group created in Step 1.
  •  The Group is a member of (i.e., local group):  This is the local security group for each workstation (e.g., Administrators).
      4.  Assign new GPO to AD OU.  Wait for change to propagate.
  No more unnecessary use of domain admin accounts.  That's It!



Post a Comment

My Instagram