Implementing a Restricted Domain Admin with No Domain Controller Access in Active Directory


4 views

In enterprise Active Directory environments, we often need to provide elevated privileges to support staff without granting full domain admin access. The requirement here is particularly specific: create an account that can administer client machines (join computers to domain, install software, troubleshoot) while maintaining tight restrictions on domain controllers.

Here are three robust approaches to implement this security model:


# Option 1: Using Group Policy Preferences
1. Create a new security group (e.g., "ClientAdmins")
2. Add the group to local Administrators groups via GPO:
   Computer Configuration → Preferences → Control Panel Settings → Local Users and Groups
3. Apply the GPO to all client OUs while excluding Domain Controllers
4. Set "Deny log on locally" for DCs in the Default Domain Controllers Policy

For the ability to join computers to the domain without full DC access:


# PowerShell script to delegate computer join rights
Import-Module ActiveDirectory

$IdentityReference = "DOMAIN\ClientAdmins"
$TargetOU = "OU=Computers,DC=domain,DC=com"

$guid = [guid]::Parse('bf967a86-0de6-11d0-a285-00aa003049e2')
$extendedRight = [guid]::Parse('00000000-0000-0000-0000-000000000000')
$schemaIDGUID = [guid]::Parse('3f78c3e5-f79a-46bd-a4b8-b5dcb4e9a726')

$ACE1 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $IdentityReference,"CreateChild","Allow",$schemaIDGUID,"All"
)
$ACE2 = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $IdentityReference,"ExtendedRight","Allow",$extendedRight,"None",$guid
)

$acl = Get-Acl "AD:\$TargetOU"
$acl.AddAccessRule($ACE1)
$acl.AddAccessRule($ACE2)
Set-Acl -Path "AD:\$TargetOU" -AclObject $acl

When implementing this model:

  • Always use security groups rather than assigning permissions directly to users
  • Monitor privileged account usage through AD audit policies
  • Consider implementing Just-In-Time administration for higher security
  • Regularly review group membership and delegated permissions

For organizations with stricter security requirements, consider:


# Sample constrained delegation setup
Set-ADUser -Identity SupportAdmin -PrincipalsAllowedToDelegateToAccount "ClientComputers$"
Set-ADComputer -Identity ClientComputers -PrincipalsAllowedToDelegateToAccount "SupportAdmin"

In enterprise environments, we often need to provide elevated privileges for help desk staff while maintaining security boundaries. The challenge is creating an account with:

  • Full admin rights on client workstations
  • Ability to join machines to the domain
  • No administrative access to domain controllers
  • Limited privileges on member servers

Here's how to properly implement this using Active Directory groups and permissions:

# Create the restricted admin group
New-ADGroup -Name "RestrictedDomainAdmins" -GroupScope Global -GroupCategory Security

# Add workstations to a specific OU
# Then delegate control to the RestrictedDomainAdmins group for:
# - Join computers to the domain
# - Reset computer account passwords
# - Manage Group Policy links

Create a GPO that applies to all workstations (not servers):

# PowerShell to configure local admin rights
$groupName = "RestrictedDomainAdmins"
$computerName = $env:COMPUTERNAME
$adsi = [ADSI]"WinNT://$computerName"
$group = $adsi.Children.Find($groupName, "group")
if ($group -eq $null) {
    $group = $adsi.Children.Add($groupName, "group")
}
$group.Description = "Members have local admin rights on workstations"
$group.SetInfo()

To explicitly deny server access:

# Deny logon locally to servers for the restricted group
$servers = Get-ADComputer -Filter {OperatingSystem -like "*Server*"} 
foreach ($server in $servers) {
    $path = "AD:\" + $server.DistinguishedName
    $acl = Get-Acl -Path $path
    $rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
        (New-Object System.Security.Principal.NTAccount("DOMAIN\RestrictedDomainAdmins")),
        "ExtendedRight",
        "Deny",
        "ab721a53-1e2f-11d0-9819-00aa0040529b" # GUID for "User-Change-Password" right
    )
    $acl.AddAccessRule($rule)
    Set-Acl -Path $path -AclObject $acl
}

Always test the configuration:

  1. Attempt to log into a workstation - should succeed with admin rights
  2. Try joining a test machine to the domain - should work
  3. Attempt to log into a domain controller - should fail
  4. Check server access - should have limited privileges

For more advanced environments, consider Privileged Access Management:

# Sample Just-in-Time admin access with PAM
Import-Module ActiveDirectory
$request = New-PAMRequest -User "helpdeskuser" -Role "WorkstationAdmin" -Duration "2"
Approve-PAMRequest -Request $request
  • Regularly audit group membership
  • Monitor privileged account activity
  • Consider time-based restrictions
  • Implement multi-factor authentication
  • Document all permission changes