Implementing Least Privilege with AD

A recent audit pointed out that we have too many people in our Active Directory (AD) Domain Admins group, but most of the members (who perform account maintenance, virus updates, and so forth) insist that they need this level of authority. What actions specifically require membership in the Domain Admins group?

In AD, each domain has a Domain Admins group and an Administrators group; Domain Admins is a member of Administrators. (Don't confuse the AD Administrators group with the local Administrator's group on each member server and workstation.) In default permissions and rights assignments, Windows 2000 always grants authority to the AD Administrators group. You should view Domain Admins and Administrators as essentially the same thing because members of Administrators can add themselves to Domain Admins. For simplicity's sake, I refer to the AD Administrators group throughout the rest of my answer.

Limiting membership in AD Administrators is important because members can cause extreme damage through maliciousness or through innocent mistakes. The concept of limiting access to those who require it is called least privilege and is important for the sake of security as well as stability. Few tasks require a user to be a member of AD Administrators.

Granted, the default permissions on domains, sites, and so forth, as well as Win2K's default rights assignments, do limit many actions to Administrators (or to Domain Admins). However, if you're willing to figure out exactly which permissions and rights are necessary for a given task, you can assign granular authority to perform that task.

None of the tasks in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in requires AD Administrator membership. Standard rights and permissions govern all the tasks within this snap-in, so you can use the Delegation of Control Wizard to assign such tasks to nonadministrators. Maintaining sites and subnets, forcing replication, and other tasks in the MMC Active Directory Sites and Services snap-in also use standard rights and permissions; you can also delegate such chores to nonadministrators.

Most of the tasks in the MMC Active Directory Domains and Trusts snap-in, including creating trust relationships and converting a domain to native AD mode, do require AD Administrator authority. You also need AD Administrator authority to run Dcpromo to create a new domain or domain controller (DC).

Outside of AD, a few tasks (e.g., adding or removing windows components, adding or removing hardware, configuring network connections, configuring application response settings in the Control Panel System applet) require AD Administrator authority to be performed on a DC. However, members of the Server Operators group or users with the proper individual user rights can perform most tasks (e.g., sharing folders, changing the system time, installing device drivers).

Implementing least privilege is important, but it can be frustrating. At times, you might have trouble figuring out which permission or right a user needs to perform a simple task. Auditing often can reveal the necessary rights and permissions. Enable auditing of failures for Audit privilege use, Audit object access, and Audit directory service access through the MMC Domain Controller Security Policy snap-in. Then, log on as a nonadministrator and try to perform the task. After your attempt fails, check the Security log for failed events that identify which right you lacked or which object you weren't able to access.

If this technique fails to shed light on the situation, reverse your audit policy to record all successful events. Log on as an administrator and perform the action. Then, trace the objects accessed and rights used, and give the user identical access.

Poorly written applications that require higher authority than should be necessary also increase the difficulty of following least privilege. For example, the MMC Group Policy Editor snap-in should be able to display a Group Policy Object (GPO) in read-only mode—an ability that would benefit administrators who want to safely view a GPO and information security—compliance staff and auditors who need to assess security controls without having the authority to change them. Unfortunately, the snap-in won't let you open a GPO for which you have only Read access.

Also, application developers frequently fail to document exactly what level of authority the application requires and simply state that they'll support only clients that grant the application full Administrator authority. The only solution is to tell Microsoft and other developers that least privilege is important to you.