Secure Your Infrastructure with Least Privileges


I would like to post this topic on securing you infrastructure with some least privileges based on server requirement. Everybody love to make some more easy and full privileges to some extent. but have you cross to your mind to secure your infrastructure.

I believe that by using Windows Environment, Active Directory is the most famous service where system admin like to centralize. I agree with that. And the highest privileges in AD environment are Domain Admins for every child domains and Enterprise Admins for Forest and Child domains.

Of course, in lab environment system admin like to use domain admins and enterprise admin even myself. However, in production zone, I would not suggest to have so much domain users given or attached with those domain admins enterprise admins. It was quite and most scary.

In the attachment, I did summarize some of all privileges based on the services required.

For example, in DHCP Server, in a AD domain environment, you may require Delegation permission to authorize to the AD for first time configuration.. Also, to manage DHCP Server, you can only have DHCP administrators without domain admins.



Requirement Privilege Document


Grant Replicate Directory Changes Permission on a domain

In order to ask replicate directory changes permission to a domain controller, it does not have to be a domain admin. by delegation, we can create this.


why do we do this?

like say, user wants to update their information from SharePoint by themselve, we can allow the information that store in SharePoint database and replicate to the Active Directory. Some also need to be done as well in SharePoint Administration.


How to Grant Replicate Directory Changes?


  • At your domain controller, open up the Active Directory Users and Computers.
  • Right-click the domain. for example, netoverme.local ans select Delegate Control
  • Click Next on the Delegation Control Wizard.
  • On Users and Groups windows, click Add.
  • type a name of synchronization account. For example, sp_admin .click Nextsp_admindelegeate
  • on task to delegate, select create a custom to delegate and click next.
  • on the Active Directory Objext Type, Select This Folder,existing objects in this folder, and creation of new objects in this folder, and click Next.
  • on the Permission pages, select Replicating Directory Changes.replicating directory changes
  • click Next and Finish.