Thursday, January 27, 2005

Securing Administrative Groups and Accounts in Active Directory Part 5

Moving Service Administrator Groups into the new OU: Move the following groups from their current location in the Users and Groups OU in your controlled subtree: 1. Domain Admins and any nested subgroups. 2. Enterprise Admins and nested subgroups. 3. Schema Admins and nested subgroups. 4. Any groups that are nested in the Domain Administrators, Server Operators, Backup Operators, or Account Operators groups. 5. Any group that has delegated rights so it's users have Service Administrator rights. The built-in groups Administrators, Server Operators, Account Operators, and Backup Operators cannot be moved from their default container to the subtree. However, built-in groups are protected by default in Windows Server 2003 by the AdminSDHolder. If your organization has not yet created any nested subgroups or delegated service administration rights to any group, you only move the Domain Admins, Enterprise Admins, and Schema Admins. Tasks: 1. Log on as a member of the Domain Admins group, and open Active Directory Users and Computers. 2. In the console tree, click Users. 3. In the details panel, right-click Domain Admins, and click Move. 4. In the Move box, double-click Service Admins, click Users and Groups, click OK. 5. Verify that the Domain Admins group is in the Users and Groups OU. 6. Repeat the procedure for all listed service administrator groups. If you have nested groups under the builtin groups such as Administrators, or other groups you previously assigned administrative privileges, their location might not be the Users container.
Moving Service Administrator User Accounts into the new OU: Move the following user accounts from their locations in the directory into the Users and Groups OU in your subtree: 1. All administrative user accounts that are members of the service administrator groups. This includes the renamed Domain Administrator account. 2. The decoy administrator account you created earlier. Each service administrator should have two accounts, one for service administration duties and one for data administration and typical user access. Place the administrative user accounts in the Users and Groups OU in your controlled subtree. If these accounts exist elsewhere in the directory, move them into the subtree. The regular accounts for those administrators should not be placed in this controlled subtree. Regular user accounts remain in their original location (Users) or in an OU created by your organization. Tasks: 1. Log on as a member of the Domain Admins group, and open Active Directory Users and Computers. 2. In the console tree, click Users. 3. In the details pane, right-click the name of the renamed administrator account, and then click Move. 4. In the Move box, double-click Service Admins, click Users and Groups, and click OK. 5. Verify that the account is now in the Users and Groups OU. 6. Repeat the procedure for all service administrator accounts listed above. If you have previously created administrative accounts or other OUs, their location might not be the Users container.
Moving all the Administrative Workstation Accounts into the Admin Workstations OU: Move the computer accounts for workstations used by administrators into the Admin Workstations OU in the subtree. WARNING!!!: Do not move domain controller accounts out of the default Domain Controllers OU. Moving DC's disrupts the application of domain controller policies to all domains. Tasks: 1. Log on as a member of the Domain Admins group, and open Active Directory Users and Computers. 2. In the console tree, click Computers. 3. In the details pane, right-click the name of the workstation used by an administrator, and click Move. 4. In the Move box, double-click Service Admins, click Admin Workstations, and click OK. 5. Verify that the computer account is in the Admin Workstations OU. 6. Repeat this for all administrative workstations.
End of Part 5.

No comments:

Post a Comment