I often see vendors request admin access to do stuff within their servers on our network. Normally, I do not add them to the Administrator groups on the domain controller such as DomainAdmins, EnterpriseAdmins, etc. In my opinion, adding third-party users to higher previlege groups poses a security risk and violates the principle of least privilege.
So, what I normally do is give them “restricted” admin access local to their server using group policy on my domain controller.
How is this done?
Note: I omitted the step where I create a standard domain user via Active Directory which in my case will be given to the vendor or third-party organization.
Username: thirdparty.local
Password: *thirdp@rty*
Step 1: Create Security Group
You can name it whatever you want but in this guide I will call it “Vendor_Admins”.
Step 2: Create Group Policy
This step requires opening Group Policy Management console. Multiple ways to access this but I leave it up to the reader to find out, it is easy.
It is advisable to create an organization unit aka OU.
Expand the GPM->Forest->Domains->your domain. Right click on your domain click “New Organization Unit”.
A dialogue box will open, enter “Vendor Admins” or whatever name according to your use case and click OK.
Right click on your “Vendor Admin” Organization Unit (OU) and click “Create a GPO in this domain, and Link it here..”
As you can see below, you now have a GPO called Vendor_Admins under the OU with the name Vendor Admins.
Step 3: Edit Group Policy and add it to Vendor_Admins Security Group
Right click on Vendor_Admins GPO and click Edit…
Expand the tree “Computer configuration\Policies\Windows Settings\Security Settings\Restricted Groups” and right click, the click “Add Group”.
Right click on Vendor_Admins group then Click Add under This group is a member of:
Select “Administrators” and “Remote Desktop Users” and click OK.
You should see screen as below.
Step 4: Force Group Policy
Now, it takes time for this to take effect on machines on the domain. But don’t worry, we can force this GPO to immediately take effect using the command “gpupdate /force” on Command Prompt.
In the screenshot below, I RDP into the vendor’s server on the same domain (ictlab.local) using the user “thirdparty”. See credentials above.
On the vendor’s server, you have full admin access. Running Discord does not prompt for any admin credentials.
