How to restrict administrator access?

I

Ivan2017-03-15 10:17:26

Active Directory

Ivan, 2017-03-15 10:17:26

Good day.
There is a domain administrator on the network. Which should carry out its duties of administering servers without any problems.
There was a need to raise a closed server, access to which will have everyone except him.
Tell me how to organize it?
Thanks
upd
Read the comments. Understood what needs to be added.
1) There is a Company Admin and 3 branch admins.
2) A special server rises at the branch, to which the Admin of the company should not have access.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

Andrey Ermachenok, 2017-03-15
@eapeap

There was a need to raise a closed server, access to which will have everyone except him.

If there is no trust in the Admin - change the admin.
Otherwise, all these games of yours will come out sideways to you.

C

CityCat4, 2017-03-15
@CityCat4

Drive the server into the domain. After that, remove the Domain Admins group from the local group "Administrators" and drive there the people who will administer it by name. If he should not use balls either, edit the local security policies. The server should be placed in a separate OU, to which general policies (which, I believe, it can rule) do not apply. Secure the console - that is, exclude the possibility of coming up and doing something (politicians can enable the account of the local administrator and change his password). Eliminate the possibility of opening the system unit - and it is best to virtualize it altogether. Enable all kinds of logs, audits, logs to the maximum.

V

Vasily, 2017-03-15
@DobriyJuk

Do not add a PC to the domain and give access only to those who need it. Problem solved.

S

Sergey SA, 2017-03-15
@resetsa

Do not start a computer in the domain, provide it with physical security and disk encryption, do not involve the administrator in servicing the computer.