Follow these best practices for setting up accounts in your IT department.
See the following:
- Domain Admin => Can only login to DC’s
- Enterprise Admin => If you have more than one domain, this needs to be separate.
- Server Admin => Only servers
- Workstation Admin => Only workstations
- Normal Account => Day to day
- (Preference) This is how I name them:
- If you want to ONLY allow a certain group:
Computer Configuration\Policies\Security Settings\Local Policies\User Rights Assignment\Allow Log on Locally`
- (Add your groups)
- If you just want to deny a group (not recommended imo):
Computer Configuration\Policies\Security Settings\Local Policies\User Rights Assignment\Deny Logon Locally
- Some organizations break out the “Backup Admin” as well since someone with those rights can extract anything they want from AD, including the Administrator password! Best practice is to have this account as a separate password from any Domain Admin or not even join backup servers to the domain.