Active Directory: Permission Delegation
Preface: Our organization is growing day by day, AD security becomes strict & its monitoring & auditing has been done frequently. The AD infrastructure was built almost 13 years back. Initially, it was built on Windows Server 2003, then from time to time, it is migrated & presently all DCs are Windows Server 2019. (Domain & Forest Functional Level is Windows Server 2008R2). Goals: Delegate IT Helpdesk ID (a member of G_ITHelpdesk ) for AD ID unlock, password reset & domain joining permission. Observation & Actions: 1. IT Helpdesk Team uses a Domain Admin ID for their day to day jobs - AD ID unlocks, password reset, domain joining. - It is clearly security breaching. Before revoking domain admin permission, we need to create one Helpdesk ID (i.e. ITHelpdesk), I’ll prefer to delegate AD job permission to a group (i.e. G_ITHelpdesk) & ITHelpdesk is the member of this group. 2. “Users” and “Computers” OU for each depa