Locking down Active Directory

[Boxer77]

We are running a AD infrastructure. The central DC is running 2012 while the remote DCs are mostly running 2003. I would like to lock down AD after we had a few things that happened that made me question if we were hacked.

1. All of the techs have been given full control of the Computers OU so they can add an unlimited amount of computers, rename computers, and overwrite computers in AD (For example, a computer crashes, gets reloaded, and renamed with our naming convention thus creating a duplicate account.) Is there a better way to do this? I tried giving them write access with no luck. I don't want a disgruntled tech wiping out every computer account in the corporation.

2. Is there a way to block someone from viewing the AD structure from a computer other than a DC? One of the techs was able to pull up the AD infrastructure with the remote server administration snap-in for Windows 7. He wasn't able to make any changes. I made it a policy not to do this again, but would like to prevent the ability to do if possible.

Thanks!

 

[jkupski]

RE: Disgruntled tech, take good backups, often. For the rest, it sounds like what you actually want is auditing--your people need rights to do their jobs, but you want to be sure that is all they are doing. I suggest investigating in this direction, though I don't have any specific suggestions.

By the way, one thought: if you're concerned about your people having too much access, I can't imagine how giving them logon rights to domain controllers is a good idea. You should be requiring them to use remote admin tools, not banning them from doing so.

 

[Boxer77]

Thanks. I will set up an audit to monitor the changes that are made to see if anyone is doing something they shouldn't be.

To clarify, I didn't give them logon rights to the domain controllers. I just was wondering if there was away to block the remote administration snap-in.