Restricting Desktop Administrators

Assigning appropriate permissions for performing certain task always depends on the need. Most organizations implement these changes when required , rather designing them during domain creation. As AD engineer, you should always understand the Forest Structure, number of Domains and the operating systems on which the Domain Controllers are configured.

 Most requirements comes after setting up the domain, like providing certain access to users / groups / OU etc. One of the common configuration I have seen is Desktop Administrators are configured as Domain Administrators which is NOT a recommended practice. This small step creates major problems, when desktop administrators tries to manipulate data.  

Make sure you do not change “Deny logon locally” and Remote Desktop Users default behavior on Domain Controllers , which would allow desktop administrators to take control on DC.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s