
close
close
It’s common that IT staff are given domain administrator rights for a number of reasons, one being that it’s a convenient way to log on to workstations with local administrator privileges. But from a security standpoint, giving high-level access to Active Directory (AD) for the sake of an easy life, puts your IT infrastructure at risk.
First we need to create a management group in Active Directory for users who will have rights to log on to workstations with administrative privileges.
Now I’m going to create a GPO to add the new AD group to the local Administrators group on all my workstations. I recommend that you create a separate Organizational Unit (OU) for your workstation computer accounts. While it’s possible to apply Group Policy to computer objects in the default Computers container, it would mean linking the GPO to the domain and filtering out domain controllers and member servers.
The next time Group Policy applies to computers in the workstations OU, the AD\Workstation Administrators group will be added to the local Administrators group, enabling IT administrators to manage workstations without domain admin privileges.
More in Active Directory
Microsoft Starts Testing New Search Experience in Word, Excel, and PowerPoint for Mac
Jun 2, 2023 | Rabia Noureen
Microsoft Releases Cross-Tenant Synchronization for Seamless Azure AD B2B Collaboration
May 31, 2023 | Rabia Noureen
Nvidia Announces New Hardware and Services for Enterprise AI at Computex
May 30, 2023 | Laurent Giret
Microsoft Lets IT Admins Remove Internet Explorer References From Windows 10
May 19, 2023 | Rabia Noureen
Managing Group Policy Objects: Create GPOs, Link GPOs, and Edit GPOs
Apr 28, 2023 | Michael Reinders
Most popular on petri