I was thinking of starting a new category in my blog called “You don’t need Domain Admin”.

I will use this to gather info about delegation from Active Directory out to the client in different cases and needs.

I personally think delegation of roles and responsibility is an important part of securing the infrastructure. If everybody had access to everything or has the ability to gain access to everything on himself, well then the security is gone.

I will start with something that I see almost everywhere and it can never be justified when you start talking about it. One of the first thing I look at when I’m in a new AD environment is the high-privileged group memberships. There is always so many users and service account members I always fall of the chair, and when I get up and ask about it I always get the same answers. Continue reading →