Admin accounts restructure

[Gabriel Clifton]

OK, my boss is retiring in a few days and would like to finally restructure our AD accounts so that I reset all of our accounts to the standard user and create accounts for each admin and technician to use separately. I want to ensure I have as many permissions correctly set for the admin accounts as possible so that when their current accounts are dropped to standard users, they are not locked out of anything they could before. Steps I think I know I need to do is:

1. Create new accounts for each person

2. Set new accounts to not be able to log into any computer

3. Provide delegation for each thing they should be able to do

   a. Add, remove and modify computers in the domain

   b. Add, remove and modify users in the domain

I can't think of anything else. We run VMWare, O365 and Azure Education free, and Google Workspace. I want to ensure that I have everything accounted for. The first time I attempted this with my own account, I kept hitting so many issues with permissions that I ended up reversing the whole thing and haven't touched it since. I don't want to run down delegation permissions and hit full control for everything because that would mitigate the purpose of this. 

Yes, I see the Add/Remove Computers from Domain by Delegation thread, but again I just want to ensure I don't miss anything and have to scrap the whole project again. 

Basically, two admins that run everything in the district and two technicians (hopefully more technicians in the future). The technicians usually have full access to computer and user accounts, no server access or control, and no admin user access or control.

Any way to get PowerShell to give me a CSV with all accounts with any permissions above domain user? I know I have some accounts for various services and I want to drop those down to least privileged also.

Thank you, and sorry for being redundant, just want to ensure I have everything covered. I have been pushing for increasing our security footprint for years and now that my boss is retiring, I can probably get more done in that scope.

[Henry Awad]

Are you looking at only AD privileges for the admins or for other management tasks (like SCCM, Exchange, etc...)? If AD only, then get a list of the tasks that your admins need and tackle each one individually but setting the appropriate permissions. I recommend using AD groups for each task and delegate the group to the necessary permissions. Never use individual accounts for delegation as it will be very hard to remove them down the line. It's much easier to add/remove to a group then go through delegation permissions all the time.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8eff29d1-a19d-4b58-913b-608bba7ad861n%40googlegroups.com.

[Gabriel Clifton]

We don't have Exchange or SCCM so domain AD only. We already have a group for the techs to be able to join computers to the domain because we have that restricted so I would use that group to add permissions. I just want to be careful and not give too much permission.

[Miller Bonnie L.]

I’ll add what I can, but I totally realize that one size does not fit all, so this is just what works for us, and we’re a much larger tech team of 25+ people.  As with all things this is a continual process and we’ve layered things on over time, as when I was first here, everyone was an admin on their own workstation (unless it was Win95/98 with no real permissions 😉 ) with a single account and a shared tech account being used, so it has taken time to get even to where we are now.  We each have:

 

- a regular account (non-admin, day to day for e-mail, file access, & other job-related tasks) that we sign in with.

- a domain-level tech level account that may be delegated computer account and/or user account (by group for each) permissions, depending on a person’s role.  This delegation does not extend to server/service/admin accounts.  Ie, one of our tech accounts cannot change the password using ADU&C for another tech account, a domain admin would have to do this.  These are delegated admin rights on computers in all site ous as well, but we don’t restrict logon local as our techs need to be able to use these for things like one-off print driver installations (and other items where they may not have a run-as option).

- if someone requires domain admin access, they also have a separate domain admin account for use on servers only.

 

Due to our continued growth, we’re now building an account level in between tech and domain admin as well for people who need some server admin access on those specific systems.  We also have a special type of support account for certain staff at each of our school sites that has delegated admin rights on all computers in that ou structure but not delegated any special permissions in AD.  I use Restricted Groups in group policies to enforce where admin rights are applied (using groups, so that people can be added/removed as needed and rights are updated automatically shortly after imaging).

 

There’s a lot more I won’t list here but from having done something similar and from the list you sent below, the a few things I can think of to check access to are:

                Other workstation management tools with AD integration like MECM (if you have it)

                Print management (if your techs help to update or clear queues)

                Access to file shares where you may store central software/driver repositories

                Remote access support tools

 

Also, this sort of stuff is where using groups really shines because it makes it much easier when onboarding new staff to just drop their accounts in the right groups and they are up and running, so hopefully you’re doing that!

 

Having had to figure out the AD Delegation stuff on my own over time, I wrote myself a reference document of all the bits to do and have pasted some of that here.  Some of these may not apply to your scenario but hopefully it helps in figuring out what may be needed:

 

                Full delegated list for techs working with computer accounts:

                                Read all properties                          Descendant Computer Objects

                                Write all properties                         Descendant Computer Objects  (again, our techs add/remove AD groups & update descriptions, you may not need this)

                                Delete                                                 Descendant Computer Objects

                                Change Password                            Descendant Computer Objects

                                Reset Password                                Descendant Computer Objects

                                Create Computer Objects             This Obj & all Descend obj

                                Delete Computer Objects             This Obj & all Descend obj

                                Read Logon Workstations             Descendant User Objects             (this and the next are because our field techs do not otherwise have delegated permissions for user accounts per the next section, but need to be able to set the logon restrictions list for a limited list of “generic” logons.  If you don’t use this feature you don’t need it, look at any user account in ADU&C and it’s the “account” tab, “Log on to” list).

                                Write Logon Workstations           Descendant User Objects

 

                Full delegated list for tech staff working with user accounts:

                                Reset Password                                Descendant User Objects

                                Read Account Restrictions            Descendant User Objects

                                Write Account Restrictions          Descendant User Objects

                                Read lockoutTime                            Descendant User Objects

                                Write lockoutTime                           Descendant User Objects

                                Read pwdLastSet                             Descendant User Objects

                                Write pwdLastSet                            Descendant User Objects

                                Write Members                Descendant Group Objects

                                Read all Properties          Descendant Group Objects          (default read access)

 

Note this does not allow all properties to be changed and the people who do that here otherwise have server-level access (and it’s not something I’ve had to do before, but may get to figure out soon for that new role).  This delegation is for updating user group memberships, resetting passwords, and unlocking accounts, you may be looking for the equivalent of “write all properties” instead.   

 

Hopefully something here helps!

 

-Bonnie

 

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Henry Awad
Sent: Friday, June 10, 2022 8:03 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Admin accounts restructure

 

*** Use caution responding to or opening attachments and links in this email. It is not from Mukilteo SD.***

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAGaCHK4cnoohODna52PoYv3dEmSm5XNz1pSLwMZuT3O9eVGSMA%40mail.gmail.com.

[Wright, John M]

“Any way to get PowerShell to give me a CSV with all accounts with any permissions above domain user?”

 

What about a powershell query like:

 

Get-ADUser -SearchBase "ou=users,dc=acme,dc=foo" -Filter * -Properties * | select samaccountname,memberof | Export-Csv users.csv

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: 'Gabriel Clifton' via ntsysadmin <ntsys...@googlegroups.com>
Sent: Friday, June 10, 2022 10:52 AM
To: ntsysadmin <ntsys...@googlegroups.com>
Subject: [ntsysadmin] Admin accounts restructure

 

This message is from an external sender.

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8eff29d1-a19d-4b58-913b-608bba7ad861n%40googlegroups.com.

[CAUTION] Do not click on links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a malicious email, please forward it the local IT team and click the Report Message button in Outlook.

 

[James Iversen]

Unfortunately, that will not show you "delegated" permissions...

Tricky little buggers.

I use Quest Active Administrator and Security Explorer.

You can run reports drilling all the way down your AD to reveal permissions assigned\delegated.

It's great when you come across the "Unknown SID" left over from a POC or other account previously deleted which assigned itself permissions to your Organizational Infrastructure

Also can set up templates to delegate authority for stuff like; reading bitlocker codes, or LAPS passwords. Can even delegate permissions to Help Desk to manage computer accounts. Our org uses an IAM solution where HR creates the Users, but an Account Admin needs to prepare it for first logon. More delegation and security by obscurity.

My favorite by far is the changing default join OU location in AD. Instead of the Computers OU, create a WorkstationQuarantine OU and all newly joined computer objects go there first. Then you can manage them more effectively before depositing them into your organizational structure. If you use the default name of a computer instead of assigning a name, could make for some interesting findings...

You are better off creating your own delegated groups instead of using the default groups in AD to assign permissions. Monitor those "Built-In" groups like a hawk. If they are empty, you can identify normal attack vectors. If a rogue account shows up in Administrators, check the security log to find out how it got there...



From:        "Wright, John M" <John....@newvista.org>
To:        "ntsys...@googlegroups.com" <ntsys...@googlegroups.com>
Date:        06/10/2022 12:17 PM
Subject:        RE: [ntsysadmin] Admin accounts restructure
Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/DM6PR12MB43722394D39814F7B8F875CB91A69%40DM6PR12MB4372.namprd12.prod.outlook.com.









Join us on Facebook at www.facebook.com/NYCMInsurance.


***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.

[Hammer, Erich F]

Sorry to be pedantic, but the default location for newly joined computers is not the "Computers OU" because it's not an OU. It's a container. I'm not knowledgeable enough to be able to explain (or even know) the differences other than it is different and at some point I ran into a reason to recognize that. You can recognize the difference in the icon in ADUC: Containers look like "plain folders" and OUs look like a folder with something on it (maybe like a sticky note pad).

I agree that the default location should be changed however. Also, if you are decent with scripts, consider using a "smart" imaging process to join systems directly into their target OUs so they don't need to be manually moved from the default location.

Erich


On Friday, June 10, 2022 at 12:32, James Iversen eloquently inscribed:

[Michael B. Smith]

OUs get group policies.

Containers do not.

-----Original Message-----
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Hammer, Erich F
Sent: Friday, June 10, 2022 12:46 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Admin accounts restructure

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64161EB2E7556D71465B2D0ECCA69%40MN2PR04MB6416.namprd04.prod.outlook.com.

[Wright, John M]

Sorry about that.  I somehow missed that they were delegated.  FWIW, it looks like he might be able to replay the SAM names from the powershell query and feed it to dsrevoke.  NB: I haven’t used this tool myself.  Just wanted to pass it on in case it was helpful.

 

Viewing delegated permissions: https://social.technet.microsoft.com/wiki/contents/articles/6477.active-directory-how-to-view-or-delete-delegated-permissions.aspx

Download Dsrevoke:  https://www.microsoft.com/en-us/download/details.aspx?DisplayLang=en&id=19288

 

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OFA5B6B4B2.0929C339-ON8525885D.0059D2A6-8525885D.005AE109%40nycm.com.

[Gabriel Clifton]

I must be missing something on that PowerShell command. Every time I have run it so far, I get Microsoft.ActiveDirectory.Management.ADPropertyValueCollection under the memberof column and it is pulling every AD user. I know that 99% of our staff do not have any delegated permissions so that is not a big deal, but we have had numerous appliances in the past where ran a demo of the product, created a user with some delegated permission and I want to ensure there are none lingering, plus I do know that 1% of our staff that has some delegated permissions for things like viewing AD user information and resetting permission. I know of one such user in the past where I was trying to give them permission for user accounts and could not get the group to work for them and gave them permission directly. I am trying to tighten everything up and get rid of any full-control delegations.

Thanks, Bonnie Miller for that list. When I took over this domain years ago, all users had admin privileges, could install anything they wanted, had access to servers, and more. Every step I have taken over the years to tighten security has been met with great resistance from my boss because the changes impacted her bosses and because her bosses signed our paychecks and can fire us, they get anything they want. I am about to start my 13th year here and this network is in serious need of security scrutinizing. I wish I could get something like the Quest product or Netwrix, but I am working on a super small budget so everything I do has to be made in-house pretty much.

I'm glancing at the LIZA, will try it out after lunch.

[James Iversen]

Yes, the Computer container... I admit not having used the correct noun. My apologies.

Scripting the "join" process" would be great! For most orgs where there isn't 7 different teams, each team divided into at least 4 Business units in 4 locations... Not to mention DEV, TST, QA, and PRD servers...

Not saying scripting isn't a good idea. We use it for imaging AWS devices domain joined. Group memberships and everything triggered on event. Works a treat! But they're easily identifiable and do only one thing.

Documenting the procedure and delegating the authority to manage the devices seems to be the best "for us" to keep our customers working. Things only break down when the documentation isn't followed and a device gets slammed into the wrong OU.

I'm not sure if a script would function as designed when the device is "renamed"... We also enumerate the msDS-PrimaryComputer attribute for folder redirection. Prevents huge profiles on PC's... Wonder if PowerShell can enumerate and write the DN of a device into a user object?

From:        "Hammer, Erich F" <er...@albany.edu>
To:        "ntsys...@googlegroups.com" <ntsys...@googlegroups.com>
Date:        06/10/2022 12:46 PM
Subject:        RE: [ntsysadmin] Admin accounts restructure
Sent by:        ntsys...@googlegroups.com

---

ATTENTION: This email was sent from someone outside of NYCM.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64161EB2E7556D71465B2D0ECCA69*40MN2PR04MB6416.namprd04.prod.outlook.com__;JQ!!EepO91JVOnUi!0J5brtiRewLLb9L6kAklCZcAqEchZl8gdqP5MvraIhdsl2bgQPOSyyOjQR7_1YrN8Fqrpda0yRGS3I4$ .

[James Iversen]

I beg to differ... The Default Domain Policy applies to the Computer AND User container, as well as any non-blocked by inheritance OU in the domain.

The Default Domain Controllers Policy applies to the Domain Controllers OU.

From:        "Michael B. Smith" <mic...@smithcons.com>
To:        "ntsys...@googlegroups.com" <ntsys...@googlegroups.com>

Date:        06/10/2022 12:51 PM
Subject:        RE: [ntsysadmin] Admin accounts restructure

Sent by:        ntsys...@googlegroups.com

---

ATTENTION: This email was sent from someone outside of NYCM.

To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/MN2PR04MB64161EB2E7556D71465B2D0ECCA69*40MN2PR04MB6416.namprd04.prod.outlook.com__;JQ!!EepO91JVOnUi!xvv21iNuqVrc9PJLVbwxseMVUcP8rUVI8c_gN3nMv8mO2osRn5dIyGJm9ErVzPl0qN1cGGL6yTkGZU0y$ .

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/d/msgid/ntsysadmin/5d86771baf024867813d807d9e0461ef*40smithcons.com__;JQ!!EepO91JVOnUi!xvv21iNuqVrc9PJLVbwxseMVUcP8rUVI8c_gN3nMv8mO2osRn5dIyGJm9ErVzPl0qN1cGGL6yQ2Z75r4$ .

[Kurt Buff]

Perhaps better stated as "Containers cannot have group policies assigned to them". Because they can't, though objects residing in the containers do get GPOs applied from up the hierarchy. Can't block GP inheritance on a container either.

Kurt

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OFFA0C726F.974A9191-ON8525885D.0061D095-8525885D.006210F3%40nycm.com.

[James Iversen]

Lol OK, we'll go with that!

Have a great weekend!

From:        "Kurt Buff" <kurt...@gmail.com>
To:        ntsys...@googlegroups.com
Date:        06/10/2022 02:26 PM
Subject:        Re: [ntsysadmin] Admin accounts restructure
Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

Join us on Facebook at

www.facebook.com/NYCMInsurance.

***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OFFA0C726F.974A9191-ON8525885D.0061D095-8525885D.006210F3%40nycm.com.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7sWSmWnStv5e_Vyniu7hcXbTnBJTaWbbVv-ZN1TU9L3Q%40mail.gmail.com.

[Michael B. Smith]

The devil is in the details.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Kurt Buff
Sent: Friday, June 10, 2022 2:26 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Admin accounts restructure

 

Perhaps better stated as "Containers cannot have group policies assigned to them". Because they can't, though objects residing in the containers do get GPOs applied from up the hierarchy. Can't block GP inheritance on a container either.

 

Kurt

 

Join us on Facebook at

www.facebook.com/NYCMInsurance.

***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OFFA0C726F.974A9191-ON8525885D.0061D095-8525885D.006210F3%40nycm.com.

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7sWSmWnStv5e_Vyniu7hcXbTnBJTaWbbVv-ZN1TU9L3Q%40mail.gmail.com.

[Brian Illner]

How is everyone handling the M365/Azure world and the need for MS accounts when separating everything?

 

If your regular account doesn’t have more than user rights to your subscription/tenant, are you having to burn another license for an admin email that does?

 

BRIAN ILLNER | Senior Systems Administrator
864.250.9227 Office
864.679.2537 Fax

Canal Insurance Company
400 East Stone Avenue
Greenville, SC 29601

WARNING:  As the information in this transmittal (including attachments, if any) may contain confidential, proprietary, or business trade secret information, it should only be reviewed by those who are the intended recipients.  Unless you are an intended recipient, any review, use, disclosure, distribution or copying of this transmittal (or any attachments) is strictly prohibited.   If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal.  While Canal believes this transmittal to be free of virus or other defect, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Canal (or its subsidiaries and affiliates) for any loss or damage arising therefrom.

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Michael B. Smith
Sent: Friday, June 10, 2022 2:45 PM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] Admin accounts restructure

 

CAUTION: This message was sent from outside of Canal Insurance. Please do not click links or open attachments unless you recognize the source of this email and know the content is safe. Please report all suspicious emails to "inf...@canal-ins.com" as an attachment.

---

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/1bb90547ce5343a89cc54f80406db29f%40smithcons.com.

[Josh Doty]

Currently the way we handle it at our org is we’re create a unlicensed o365 account to be our global admin account. With a similar name to our daily driver production email with a suffix or prefix “GA”. We

‘ll then have a tenant level mail routing rule to handle any mail going to the global admin account to route to our daily driver o365 account, that way we don’t have to license it with exchange online.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/BN6PR13MB2913DCE073EFD018E5650C09C5AA9%40BN6PR13MB2913.namprd13.prod.outlook.com.