AD lockdown help

Django x2 · 5 Sep 2014 at 16:44

Hi all, we have a security guy who is a complete nightmare.

We store BitLocker recovery keys in AD. It appears as a tab within the computer object.

Is there a way in AD so that tab only appears to certain admin users?

Thanks

Hellsmk2 · 5 Sep 2014 at 18:45

http://blog.nextxpert.com/2011/01/1...ker-recovery-information-in-active-directory/

Follow that and amend as necessary to ensure he's not in a group with access; however, the better solution wold not to use domain admin accounts as your main account (or at a minimum don't give morons those accounts).

n30_mkii · 5 Sep 2014 at 21:49

As per Hellsmk2s reply, that tab is secured by default. i.e. the only group who have the rights to see it are the domain admins group. The members of this would only be specific servers admins really who should be using it as priviledged access i.e. runas etc. The security guy shouldn't be a member of that group, so hopefully if you tell him its restricted that should be sufficient, maybe need to report on who sits in that group to keep him happy. Its not like any end user can retrieve it etc

hope that helps?

Django x2 · 5 Sep 2014 at 22:43

Cool, thats what I was looking for. Nice