Directory Tiering in AD in your Lab Environment for Testing

Hey Checkyourlogs Fans,

This post outlines the steps needed to create and configure Group Policy Objects (GPOs) for tiering your Active Directory environment. The goal is to restrict access for Domain Admins, Server Admins, and Desktop Admins based on their tiered responsibilities. This will ensure that only the designated administrators can log into specific systems (Domain Controllers, Servers, or Desktops).

Prerequisites:

• Active Directory environment with defined user groups: Domain Admins, Server Admins, and Desktop Admins.
• Domain Controllers, Servers, and Desktops with necessary OS configurations.
• Group Policy Management Console (GPMC) is installed and is available for use.

Step 1: Create Security Groups for Each Admin Role

1. Domain Admins Group: This is the default Domain Admins group. If custom, ensure it only contains users who should have Domain Controller access.
2. Server Admins Group: Create a new security group named Server Admins. This will include users who should be allowed to log into servers.
3. Desktop Admins Group: Create a new security group named Desktop Admins. This will contain users who should be allowed to log into Desktops.

Step 2: Define Organizational Units (OUs)

If they do not already exist, create OUs for your different types of machines. Then, create GPOs to target these OUs.

1. Domain Controllers OU: Ensure all Domain Controllers are located within this OU.
2. Servers OU: Ensure all physical and virtual servers are in this OU.
3. Desktops OU: Ensure all user workstations (desktops) are in this OU.

Step 3: Create GPO for Domain Admins – Restrict Login to Domain Controllers

1. Open Group Policy Management Console (GPMC).
2. Right-click on Group Policy Objects, then select New.
3. Name the new GPO: “Restrict Domain Admins to DC”.
4. Edit the GPO.
   • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   • Double-click Log on locally to edit.
   • Remove the Domain Admins group from the list of users/groups who can log in locally.
   • Add Domain Admins group to the Allow log on through Remote Desktop Services (if remote logon is allowed).
   • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   • Double-click Deny log on locally and add Server Admins and Desktop Admins groups.
5. Link the GPO:
   • Right-click on the Domain Controllers OU and select Link an Existing GPO.
   • Choose the “Restrict Domain Admins to DC” GPO and click OK.

Step 4: Create GPO for Server Admins – Restrict Login to Servers

1. Right-click on Group Policy Objects, then select New.
2. Name the new GPO: “Restrict Server Admins to Servers”.
3. Edit the GPO.
   • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   • Double-click Log on locally to edit.
   • Remove the Server Admins group from the list of users/groups who can log in locally.
   • Add Server Admins group to the Allow log on through Remote Desktop Services (if remote logon is allowed).
   • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   • Double-click Deny log on locally and add Domain Admins and Desktop Admins groups.
4. Link the GPO:
   • Right-click on the Servers OU and select Link an Existing GPO.
   • Choose the “Restrict Server Admins to Servers” GPO and click OK.

Step 5: Create GPO for Desktop Admins – Restrict Login to Desktops

1. Right-click on Group Policy Objects, then select New.
2. Name the new GPO: “Restrict Desktop Admins to Desktops”.
3. Edit the GPO.
   • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   • Double-click Log on locally to edit.
   • Remove the Desktop Admins group from the list of users/groups who can log in locally.
   • Add Desktop Admins group to the Allow log on through Remote Desktop Services (if remote logon is allowed).
   • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
   • Double-click Deny log on locally and add Domain Admins and Server Admins groups.
4. Link the GPO:
   • Right-click on the Desktops OU and select Link an Existing GPO.
   • Choose the “Restrict Desktop Admins to Desktops” GPO and click OK.

Step 6: Apply and Test the Group Policies

1. Force Group Policy Update:
   • On each system (Domain Controllers, Servers, Desktops), run the following command to force an update:
2. Test Login Restrictions:
   • Domain Admin: Ensure they can log into only Domain Controllers.
   • Server Admin: Ensure they can only log into servers.
   • Desktop Admin: Ensure they can log into only Desktops.

Step 7: Documentation and Maintenance

1. Document the changes, including the targeted user groups, the affected systems, and the configured GPO settings.
2. Monitor the effectiveness of these policies to ensure they are being enforced correctly and adjust if needed.

Additional Considerations:

• Remote Desktop Access: You should ensure the appropriate access rights are configured within the RDS licensing and configuration.
• GPO Inheritance: Ensure that GPO inheritance is blocked where needed to avoid unwanted policies applying to specific OUs.
• Testing: Thoroughly test each GPO on non-production machines to confirm that the access restrictions work as intended.

Following this procedure, you can successfully implement tiered administrative access in your Active Directory environment to improve security and maintain proper access controls for Domain Admins, Server Admins, and Desktop Admins.  As a side note, you shouldn’t RDP into anything in the environment with MFA like DUO and from a Privileged Access workstation. You can adjust your guide accordingly.

 

Thanks,

Dave