Segmenting which IT admins can access various servers

A

Albert M Gostick

Hi,

We have a couple dozen servers in our environment and right now, all IT admins can access all servers because all IT admins are part of the Domain Admins group and every server has "Domain Admins" as part of the local Administrators group on that server. Or at least that is how the permissions are being granted from what I can tell.

But I would like to change it so that this is split between senior admins and regular admins. This is what I would envision:

- These groups in AD:

- Senior Admins

- Regular Admins

and then for the servers:

- Critical Servers (or something to denote domain controllers, Exchange server etc)

- Non-Critical Servers (file servers, utility servers etc)

Then the IT people get put into the first 2 groups and the servers go into one of the server groups

Then I suppose that one of the two server groups goes into the local Administrators group on each server so that each person can RDC into the servers that they need to work on and have full rights to work on that server.

Is this the correct way to do this or is there something built-in within AD groups to do the same?

Thanks.

Continue reading...
 
You must log in or register to reply here.

Similar threads

Y
I'm unable to login with default Administrator account in windows server 2019
Replies
0
Views
20
Yaser vp
Y
D
when logging in to server domain admin account gets non admin privileges
Replies
0
Views
23
Doug Poulin (dougp)
D
R
Windows Server 2025 Secured-core Server
Replies
0
Views
54
RoySasabe
R
O
We are unable to see collection group access in RDS-Pool server
Replies
0
Views
59
Obulesu Marriboina
O
T
GPO - Local Users and Groups - Item level targeting - Security Group - Removed from security group and local group but it keeps coming back
Replies
0
Views
54
TJCooperWhatever
T
Back
Top Bottom