Group policy management console - delegation for IT admins - best practice

StephanG 701 Reputation points
2021-03-30T09:30:05.397+00:00

Hi everyone,

every article just has hints about how to cope with GPOs but i need some input about the design of delegation rights.

Say i have an OU structure (it like this:

  • Domain Controllers
  • Servers
  • Servers - Exchange
  • Servers - SharePoint
  • Servers - Tier 1
  • Clients
  • Users
  • Admin Users

Ok i do not delegate the "Domain controllers".
But if i delegate the "Servers - Tier 1" to 2 "Admin Accounts" and one of them get hacked. All my "Tier 1 servers" are kind of lost?

So is there any other possibility to restrict (without 3rd party) or secure the GPO delegation?

Best regards
Stephan

Windows Group Policy
Windows Group Policy
A feature of Windows that enables policy-based administration using Active Directory.
2,010 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,962 questions
No comments
{count} votes

Accepted answer
  1. Daisy Zhou 13,021 Reputation points Microsoft Vendor
    2021-03-31T02:27:40.623+00:00

    Hello @StephanG ,

    Thank you for posting here.

    For delegation permissions for Group Policy, we can refer to the link below, it includes the following two delegation permissions and other delegation permissions.

    To delegate permissions for a group or user on a Group Policy Object
    To delegate permissions to link Group Policy Objects

    Reference
    Delegate Permissions for Group Policy
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789195(v=ws.11)

    Q:But if i delegate the "Servers - Tier 1" to 2 "Admin Accounts" and one of them get hacked. All my "Tier 1 servers" are kind of lost?
    It is not clear whether such a result will occur, but we need to prevent such a situation in advance, for example: increasing the complexity of the administrator’s password or strengthening network security

    Q:So is there any other possibility to restrict (without 3rd party) or secure the GPO delegation?
    Based on my experience, there is no other way to restrict (without 3rd party) or secure the GPO delegation

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

1 additional answer

Sort by: Most helpful
  1. StephanG 701 Reputation points
    2021-03-31T08:37:37.26+00:00

    Hi @Daisy Zhou ,

    thanks for your answer. I just thought there is a best practice approach and i didn't find it.
    We already have the secure passwords & network security.

    I will try to create more OUs so that every admin user just could affect a subset of clients/users in the first place.

    Best regards
    Stephan