• State Not Answered
  • Replies 2 replies
  • Subscribers 62 subscribers
  • Views 284 views
  • Users 0 members are here
Options
Related

Can I lock All Domain Admin Roles using Active Roles

amitchaudhary75
2 months ago

Is it possible to completely lock out All domain admin roles using Active roles? We need to lock our AD so that no one can connect or access the AD other then via QAR. 

  • 0 2 months ago

    You shouldn't block native DA permissions but you definitely should control access to the DA group.  Have you seen the Just In Time Privilege Elevation integration with Safeguard?  This will allow admins to have accounts that can be DAs but aren't in the group until needed.  They would just check out their account, then the integration uses a combination of a virtual attribute and a dynamic group to make sure they get the right access.  When they're done they check their priv account back in and group membership is stripped, password is changed, and the account is disabled when not in use.    Here's a video link of the process.  

    https://youtu.be/3U4S7inJvs0?si=4MEYCy2Z9JyU_Zwe

  • 0 2 months ago

    You need a "two pronged" approach here.

    1) Yes, completely agree with   that you want to control membership of the Domain Admins group per se - including starting by reducing that to a bare minimum and further controlling it using an approach like that suggested by Dan.

    2) From an overall architecture point of view, you want to get to a place where day to day use of native DA rights is only a last resort and that users are delegated the rights they need to perform 99% of tasks only through Active Roles.

    Item 2) may take some design time to really understand what I describe as "who needs to be able to do what to whom"  - who needs to perform what tasks on what AD objects (users, groups, computers) and even more than that, which objects - that is, for example, you will likely have certain "sensitive" groups that you only want a specific subset of people to have access to.

    The simplest way to "partition" delegated rights is at the OU level - you can do it other ways, but that tends to be the easiest to deploy and understand.  So you need to look at your OU structure and see how well it currently meshes with your delegation needs - you may end up having to create more OUs to allow you to partition off objects that you only want specific people to manage.  In general, in the world of Active Roles this process is called designing your "Trusted Security Model".