 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, I'll cover the steps for securing the domain admins Active Directory domain services built in Security Group. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. The domain admins group is a built in global security group in Active Directory that holds highly privileged rights over the entire domain. Members of the domain admins group have broad and unrestricted control over the domain, allowing them to make changes to domain-wide settings, security policies, and grants the ability to administer all servers and workstations within the domain. Each domain in a forest has its own separate domain admins group. The forest route domains enterprise admins group and each unique domains built in administrator account are members of the domain admins group. Permissions associated with the domain admins group include, domain admins group have administrative privileges over all computers joined to the domain. This includes domain controllers, servers, and workstations. Domain admins have the authority to manage user accounts, group memberships, organizational units, and other Active Directory objects throughout the entire domain. Domain admins can configure and enforce security policies, manage group policy objects, and make changes affecting the security of the entire domain. The domain admins group is the default owner of any object that's created in Active Directory for the domain by any member of the domain admins group. If members of the group create other objects, such as files, the default owner is the administrator's group. The domain admins group controls access to all domain controllers in a domain and members can modify the membership of all administrative accounts in the domain. Members of the service administrator groups in a domain, such as administrators and domain admins, and members of the forest's enterprise admins group can modify membership of the domain admins group. This group is considered a service administrator account because its members have full access to the domain controllers in a domain. Domain admins are, by default, members of the local administrator's groups on all member servers and workstations in their respective domains. As members of the local administrator's group on each domain member, domain admins can install an uninstall software on or modify the configuration and settings of any computer in the domain. Always exercise caution when assigning users to the domain admins group as membership grants extensive control and privileges. Microsoft recommends you follow the principle of least privilege, granting only the minimum permissions necessary for privileged users, such as support and operations staff to perform their duties. You can use delegation to assign scope privileges to groups and technologies, such as just enough administration to limit administrative privileges to only those necessary to perform specific tasks. Support documentation makes assumptions about how privileged groups, such as domain admins and the enterprise admins groups are configured. Default permissions and memberships are generally required for supportability and disaster recovery purposes. Support documentation and processes assume that these security principles have been left in their default configuration. You should not modify the default permissions and group memberships assigned to the domain admins group. Rather than modify how the group works, you should instead limit and monitor group membership. Microsoft's recommendation is remove all members from the group with the possible exception of the built-in administrator account for the domain, but ensure that the built-in administrator account has been secured as described in appendix D, securing built-in administrator accounts in active directory. The appendix D document was covered in a previous video on this channel. From a pragmatic standpoint, this may appear to be something an organization would like to do in theory that has a lot of challenges achieving in practice. It's all well and good to have an article that says don't have anyone in this group, but IT operation staff are busy people and correctly implementing least privilege is a lot of work. Although not recommended by the linked advice and not constituting official advice, you may choose to temporarily add accounts to this group to perform specific uncommon administrative tasks that require elevated privileges rather than go to the effort of creating a special group with specific delegated privileges. Keep in mind that the vast majority of common ADDS operations performed by IT staff do not require domain admins privileges. Most of these tasks can be accomplished using existing built-in groups or by delegating rights such as the ability to reset passwords or manage group policy in a scoped way to specially created security groups. To restrict the ability for the domain admins group to be used to perform tasks on domain member servers and workstations, you should create a group policy object linked to organizational units hosting member servers and workstation computer accounts in each domain. You should configure this group policy object so that the domain admins group is assigned the following user rights in computer configuration, policies, windows settings, security settings, local policies, user rights assignments as shown in the image on the screen. Deny access to this computer from the network. Deny log on as a batch job. Deny log on as a service. Deny log on locally. Deny log on through remote desktop services. Remember that this group policy object should not apply to domain controllers. This policy restricting rights to the domain admins group should only apply to OUs containing member server and workstation computer accounts. If you are worried about how it will be possible to have administrative privileges on member servers and workstations without membership in the domain admins group, you should investigate the new version of local administrator password solution that is integrated into newer versions of Windows Server. This tool will be the subject of a future video in this series. Configure auditing to generate alerts if any modifications are made to the properties or membership of the domain admins group. Alerts should be sent to the users or teams responsible for administration of active directory in addition to incident response teams in your organization. You configure auditing for changes to the domain admins group by enabling the audit security group management audit policy in the default domain controllers GPO. Enabling this policy setting allows you to audit events generated by changes to security groups such as the following. Security group is created, changed or deleted. Member is added or removed from a security group. Group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a security group is made. If you do not configure this policy setting, no audit event is generated when a security group changes. The events that you are interested in that will be located in the DC security log are related to the management of global groups. If you watch the video on securing enterprise admins, these event IDs are different because enterprise admins has the universal group scope. The event IDs you should monitor related to the domain admins group are event ID 4737, a security-enabled global group was changed. Event ID 4728, a member was added to a security-enabled global group. Event ID 4729, a member was removed from a security-enabled global group. The image on the screen shows the event that occurs in the security event log on the DC when a user account name not suspicious is added to the domain admins group when auditing of security group management is enabled. In this video, you learned about steps you can take to secure the built in domain admins group present in each domain in an active directory forest. The advice in this video is drawn from the article linked in the video description. Increasing the security controls applied to the domain admins group will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. We are interested in hearing about your experiences as an ADDS administrator. Have you implemented any of the security controls outlined in this video in your environment? What steps do you take in your own active directory domain services environment to secure the domain admins group? I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren. And if you've got any questions or feedback, drop a comment below.