The protection and management of built-in administrative groups in Active Directory helps to provide us confidence and security in the stability and ownership of our domain and resources. These groups tend to become overrun with unintended or forgotten membership; requiring our diligent attention and constant effort to maintain.
This is really what Restricted Groups are intended for but it rarely seems to be used in this manner. More often we see Restricted Groups being used to protect the local Administrators group on workstations and servers. This is a good thing, and if you need more assistance understanding how to do this, I’d encourage that you read my friend Florian’s blog post. However, what I want to encourage you to do here is to protect your domain groups with Restricted Groups.
Protecting domain groups with Restricted Groups is just like protecting local groups with two exceptions, you want to link the policy to the Domain Controllers OU and you nearly always should use the member set mode which will wipe out all users from the group which are not specified in the policy.
I can’t tell you which groups you should protect in entirety but I would encourage that at a minimum you protect these four groups in each domain where applicable:
- DOMAINAdministrators
- DOMAINDomain Admins
- DOMAINEnterprise Admins
- DOMAINSchema Admins
There is no magic number of members which should be included in the built-in groups. That is something that you have to determine as part of building a delegation model – a critical effort to the health of any directory services implementation. The only strict recommendation that I have across all organizations is that the Schema Admins group should contain no members – including the built-in Administrator account. When it is time for you to adjust the schema, you can briefly adjust this policy, make the changes, and then set it back to a blank membership. The last thing you want to do is unintentionally modify the schema.
This policy does not prevent members from being added to the built-in groups anymore than Restricted Groups for local accounts prevents additions to local group membership. However, domain controllers refresh their policy more often than member servers and workstations do. Every 5 minutes, any adjustments to the membership of these protected groups will be reset and your critical groups will be back to a known state.
This functionality is not limited to built-in groups in the directory. You can use Restricted Groups to protect any group membership that you choose. For instance, if you have a Payroll Team and a corresponding group in AD that has access to everyone’s salary and tax information, you may want to protect this group to provide you a level of confidence and security.
As always, there is no silver bullet to security. This is not going to be the wall to keep bad things out. Rather it is part of a strategy which will give you confidence in the membership of your critical groups over the long-term. There is an interesting exception to this functionality which I will be blogging about in the future.