Hello again, world's most sporadic blogger here. A while back, I posted here recommending that people who are interested in admin-free Active Directory stay tuned to this site. The reason for that post was that I'd just learned that we were going to write and publish a document that would include some of the information I'd originally intended to publish here. We published Best Practices for Securing Active Directory (BPSAD) in April of 2013, and if you haven't seen it already, please take a look. It's a long document, but we hope that the content is useful.
Now that the BPSAD has been published and readers have had some time to digest it, I'm planning to produce a post now and then discussing some of the things that are in the document, some of the things that aren't in the document, and our reasons for each. I'd also like to provide related information such as sample approaches to some of the things we recommend in the document. If you're interested in any of those things, please check back here now and again. I can't promise that I'll be posting regularly or frequently, but I will be posting.
Thanks for reading, and I'll be back soon...
Hello, Laura. All of your posts are very valuable. I would appreciate if you can advise about the recommended practice to allowing some specific administrators to, for example, manage some domain controller servicing tasks without being able of changing domain configuration. In fact, the "Best Practices for Delegating Active Directory Administration" white paper and more precisely its appendices document (Best Practices for Delegating Active Directory Administration: Appendices) published by Microsoft in 2003 give guidance for creating the role "Domain Controller Administrators" and making the associated group a member of the builtin Administrators group in the domain (page 194), and I'm not willing to do that. In fact it would be nice to have an updated revision of that document oriented to delegating administration for Active Directory 2008 R2 and 2012.