Group policy management console - delegation for IT admins - best practice

StephanG 846 Reputation points
2021-03-30T09:30:05.397+00:00

Hi everyone,

every article just has hints about how to cope with GPOs but i need some input about the design of delegation rights.

Say i have an OU structure (it like this:

  • Domain Controllers
  • Servers
  • Servers - Exchange
  • Servers - SharePoint
  • Servers - Tier 1
  • Clients
  • Users
  • Admin Users

Ok i do not delegate the "Domain controllers".
But if i delegate the "Servers - Tier 1" to 2 "Admin Accounts" and one of them get hacked. All my "Tier 1 servers" are kind of lost?

So is there any other possibility to restrict (without 3rd party) or secure the GPO delegation?

Best regards
Stephan

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments No comments
{count} votes

Accepted answer
  1. Anonymous
    2021-03-31T02:27:40.623+00:00

    Hello @StephanG ,

    Thank you for posting here.

    For delegation permissions for Group Policy, we can refer to the link below, it includes the following two delegation permissions and other delegation permissions.

    To delegate permissions for a group or user on a Group Policy Object
    To delegate permissions to link Group Policy Objects

    Reference
    Delegate Permissions for Group Policy
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn789195(v=ws.11)

    Q:But if i delegate the "Servers - Tier 1" to 2 "Admin Accounts" and one of them get hacked. All my "Tier 1 servers" are kind of lost?
    It is not clear whether such a result will occur, but we need to prevent such a situation in advance, for example: increasing the complexity of the administrator’s password or strengthening network security

    Q:So is there any other possibility to restrict (without 3rd party) or secure the GPO delegation?
    Based on my experience, there is no other way to restrict (without 3rd party) or secure the GPO delegation

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. StephanG 846 Reputation points
    2021-03-31T08:37:37.26+00:00

    Hi @Anonymous ,

    thanks for your answer. I just thought there is a best practice approach and i didn't find it.
    We already have the secure passwords & network security.

    I will try to create more OUs so that every admin user just could affect a subset of clients/users in the first place.

    Best regards
    Stephan


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.