So I know I ask this question every few years. "Delegate to AD" is the typical answer. So this year I am going to go into full explination mode; and I prefer this to be more of a discussion. Suggestions/Best Practices/First-hand expierences ..
Environment:
Large company, multi domain, multi forest... but for now.. lets try for one domain: roughly 5000 member servers at any given moment.
Windows 2003 sp3 /Win 2008/Win 2008 R2... AD is mixed 2003/2008 at the moment.
Problem:
Historically there has been a long standing request process where application owners/team have been granted Local Admin access to their servers. In the last 5 years we have been trying to tighten the belt. We purged unauthorized id's, tons of locally created accounts, and 1000's nested "non-admin" domain groups. To the tune of around 1M unique object reduction on the servers in total (2009). It was at least legible at this point. Local Administrators only contained domain based"Admin" groups.
Add Domain Accounts -> Domain Groups-> Nested in local Administrators
As you may already be thinking,"If you give them Admin access to these machines they are just going to go add more accounts to the administrators... all that work in vain" True. And we make feeble attempts to catch/reverse this and slap hands. However, I am not now nor have I ever been comfortable with this approach.
So....we thought of reducing the rights of these Application Owners (they are IT department people for the most part BTW). So how about Backup Operators, RDP Users, and Event Log Readers: Add them there instead of Administrators.
**I tried to create a local group "Company Admins" and nesting it all the local built in groups... that didnt work. Built-In do not allow local group nesting (well you can force it but it doesnt work anyhow) ?Is there a way to assign the privileges held by the built-In groups to a custom Local Group?
Primarily the goal is to allow the customer to have "nearly Administrator" privileges. Just no access to muck with local policy settings, Local Users & Groups. But they still install apps, monitor their logs, and administer their applications successfully.
Those who say: "Delegate to the Domain" please explain further how to accomplish this level of granularity doing so.
Also, I know there is a host of "Off the Shelf" products to assist with Admin access delegation, but I can't seem to understand why this problem cannot be solved using inherent MS products. (and I aint got no money)
Any advice is greatly appreciated.
thx
Houston
skate and destroy