Ask the Expert

Preventing domain admins from logging onto domain controllers

How can I prevent certain users who are domain administrators from logging onto domain controllers?
That depends on the kind of user they are. If they are a member of a group that grants them rights on domain controllers (for example, Domain Admins) there really isn't a way to do that. If your domain is small enough, you could specify the list of computers they are allowed to login to, excluding the domain controllers, but I think this would rapidly become unmanageable (every time you add a computer, potentially you need to update the list of computers they can login to) as well as being rendered ineffective if the users in question are domain admins (they can always come in behind you and undo it).

Now, assuming that this is not a domain admin, the ability to logon to a domain controller is defined in the Default Domain Controllers Group Policy. You can view this by right clicking on the Domain Controllers OU in Active Directory Users and Computers and selecting "Properties". Click on the "Group Policy" tab, select the policy and click "Edit". Navigate using the Group Policy Object Editor to the following branch:

Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment

In the right hand window, look for either "Log on locally" or "Allow Logon Locally" (it differs depending on which version of Windows you are using). Double click on the policy and add/remove users from that list accordingly and check the box next to "Define these policy settings:" to define who will be allowed to logon locally. By default, the following accounts/groups can logon locally to domain controllers:

  1. Account Operators
  2. Administrators
  3. Backup Operators
  4. Print Operators
  5. Server Operators
  6. Corresponding Internet Users (IUSR_)

As always, rather than directly editing the Default Domain Controllers Group Policy, you should create a new group policy object with the settings you want. Also, be advised that changing the default settings can cause unexpected and potentially damaging results to your systems.

View questions and answers from all of our Windows security experts here.


Reader Feedback:

I'm curious. How come you didn't tell the admin you were advising that its better not to make a person a domain admin, rather it is better to use the "Delegation of Authority" feature to give that user the abilities they need rather than give them the keys to the safe and make them a domain admin?I was first introduced to this feature at http://mcpmag.com/columns/article.asp?editorialsid=1198#post and have given my user the ability to do several tasks including working in ADU&C, (creating, adding, removing users and computers to the domain) all without being a domain admin. I can run most of the needed tools from adminpak.msi on my local XP client with my normal user, and don't need to be a full fledged domain admin.

Wes's response:

This is actually a very good point. At the time, I was answering the question that was asked, and frankly I didn't think about alternative approaches. My response was predicated on the fact that the users were Domain Admins. With that said, a far, far more effective overall approach that would indirectly solve the original problem is to do exactly what you mention. By Delegating Authority to the objects and resources that an admin needs to manage you can grant them all the necessary rights and privileges that they need, without making them Domain Admins. A good example of this is an environment that I work in which uses delegation and permissions in Active Directory to grant users rights to specific Organizational Units (OUs). This allows "normal" users to be able to perform the functions they need in a given OU (such as adding/deleting computers, users or groups) without ever making them a Domain Admin (and in fact in my example they are just normal Domain Users).

Additionally, there are some third party applications such as NetIQ Directory and Resource Administrator, NetIQ Change Administrator or Quest ActiveRoles that allow you to configure management schemes that allow unprivileged users to be able to perform required privileged tasks while still ensuring regulatory compliance, logging and accountability for all changes.

This was first published in February 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: