question

StephanG avatar image
0 Votes"
StephanG asked DonPickard-7259 commented

Group policy management console - delegation for IT admins - best practice

Hi everyone,

every article just has hints about how to cope with GPOs but i need some input about the design of delegation rights.

Say i have an OU structure (it like this:

  • Domain Controllers

  • Servers

  • Servers - Exchange

  • Servers - SharePoint

  • Servers - Tier 1

  • Clients

  • Users

  • Admin Users

Ok i do not delegate the "Domain controllers".
But if i delegate the "Servers - Tier 1" to 2 "Admin Accounts" and one of them get hacked. All my "Tier 1 servers" are kind of lost?

So is there any other possibility to restrict (without 3rd party) or secure the GPO delegation?

Best regards
Stephan

windows-active-directorywindows-group-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @StephanG,

Thank you for posting here.

For delegation permissions for Group Policy, we can refer to the link below, it includes the following two delegation permissions and other delegation permissions.

To delegate permissions for a group or user on a Group Policy Object
To delegate permissions to link Group Policy Objects

Reference
Delegate Permissions for Group Policy
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789195(v=ws.11)


Q:But if i delegate the "Servers - Tier 1" to 2 "Admin Accounts" and one of them get hacked. All my "Tier 1 servers" are kind of lost?
It is not clear whether such a result will occur, but we need to prevent such a situation in advance, for example: increasing the complexity of the administrator’s password or strengthening network security

Q:So is there any other possibility to restrict (without 3rd party) or secure the GPO delegation?
Based on my experience, there is no other way to restrict (without 3rd party) or secure the GPO delegation

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

StephanG avatar image
0 Votes"
StephanG answered DonPickard-7259 commented

Hi @DaisyZhou-MSFT,

thanks for your answer. I just thought there is a best practice approach and i didn't find it.
We already have the secure passwords & network security.

I will try to create more OUs so that every admin user just could affect a subset of clients/users in the first place.

Best regards
Stephan

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I will try to create more OUs so that every admin user just could affect a subset of clients/users in the first place.

this actually is the best practice! :)




0 Votes 0 ·