Q: A consultant for our company gave a computer Domain Admin rights in Active Directory (AD); he said it's necessary when pushing out Microsoft Systems Management Server (SMS) to clients. Is that true?

A: I don't recommend adding your SMS site server’s computer account to Domain Admins. The SMS site server doesn’t need Domain Admins authority; it just needs local administrator authority on computers in the domain in which it will be installing the SMS client. Making the SMS site server or any other server or application a member of Domain Admins is a quick way to give computers and their administrators access to each computer in the domain, but it also gives them access to AD. The principle of least privilege dictates that you never give people more authority than is necessary to do their jobs, and giving users Domain Admins authority can cause huge problems both through honest mistakes or malicious behavior.

The best way to handle this situation is to create a new domain global group called Member Computer Local Admins. Make computers that need administrator authority to other systems in the domain members of the Member Computer Local Admins group.

Then, create a Group Policy Object (GPO) with a Restricted Groups policy that makes Member Computer Local Admins a member of the Administrators local group. Apply that GPO to all the computers in the domain except for the domain controllers (DCs). You don’t want this policy to apply to your DCs because that would give the SMS site server administrator authority to AD.

To create and apply the GPO, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the root of the domain, select Properties, then select the Group Policy tab. Click New to create a new GPO, and name it Restricted Group - Local Admins. Right-click the GPO, select Properties, then select the Security tab. Add a permission entry that denies DCs the Apply Group Policy permission, as shown in Figure 1. Adding this access control entry (ACE) will prevent DCs from applying this GPO, which will keep the Member Computer Local Admins group out of the domain’s Administrators local group. Click OK to close the Security and Properties dialog boxes.

Back at the Properties dialog box of the domain root, click Edit, which opens the MMC Group Policy Object Editor snap-in. Maneuver to Computer Configuration\Windows Settings\Security Settings\Restricted Groups as shown in Figure 2. Right-click Restricted Groups and select Add Group. Type in Administrators and click OK to close the Add Group dialog box. Windows will open a new properties dialog box for the policy. Under Members of this group, click Add, then Browse. Enter Member Computer Local Admins, and select Check Names. Click OK three times.

The Group Policy Object Editor should now show a policy that mandates that Member Computer Local Admins will be made a member of the Administrators local group when this GPO is applied. Because this GPO is linked to the root of the domain, every computer in the domain will apply this GPO except for DCs, because of the deny Apply Group Policy permission we assigned earlier.

The Group Policy Object Editor should now show a policy that mandates that Member Computer Local Admins will be made a member of the Administrators local group when this GPO is applied. Because this GPO is linked to the root of the domain, every computer in the domain will apply this GPO except for DCs, because of the deny Apply Group Policy permission we assigned earlier.