Guest Matthew Posted January 26, 2009 Posted January 26, 2009 I hope someone can help me. I manage a fairly large active directory environment and I'm trying to lock things down to prevent security breaches, etc. We use various monitoring utilities to monitor all servers (including DCs) and I'm finding it very difficult to use any of these programs without breaking my security. Almost every one of them need domain administrator rights. Well that's not true, but let me clarify. I stripped the security of the service accounts we use and created groups to add these service accounts as local admins on the various servers. My problem is now specifically with DCs. I don't want these service accounts to have full administrative privileges on my DCs or Active Directory. As such I don't want to add these accounts to the built in\administrators group as they will get these rights. I have successfully opened up WMI onto these DCs, but am finding my tools use a variety of ways to run their monitors and they are not all via WMI. For example, some of these tools check disk space by hitting the root admin share of each drive (i.e. c$). I can't change permissions on this. What do I do? Is there a way to give these accounts the rights I need, but prevent them from actually logging on locally to the DC and prevent them from making changes in AD? Do I just bite the bullet here and just make it a domain admin account with super crazy pw? TIA! MCDONAMW Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.