Hacker attacks are becoming more and more intelligent and, above all, more individual. It is helpful to implement the Principle of Least Privilege in the Active Directory to help prevent your system from being attacked. Principle of Least Privilege states that a subject should be given only those privileges needed for it to complete its task.

Create these Users and Groups in AD:

DA - Domain AdminSA - Server AdminCA - Client Admin

Assignment:

Create a ClientAdmin Policy OR if you imported a policy, edit gg_ClientAdmin-

Link the policy to all your Client OrganisationUnits

For testing purposes do NOT use the option "Remove Members: Domain-Admins" in the first step After you made sure that the policy works correctly and you have access to the clients with your previously created CA-admin users, edit the policy and add the option "Remove Members: Domain-Admins"

Use the following commands:

redircmp <NEW OrganisationUnit>

redircmp „ou=NewComputer, DC=Testdomain, DC=local“

To check the default path use the following command:

get-addomain | fl computer*, user*

Create a ServerAdmin Policy OR if you imported a policy edit gg_ServerAdmin.

Link the policy to all your Client OrganisationUnits.

For testing purposes do NOT use the option "Remove Members: Domain-Admins" in the first step After you made sure that the policy works correctly and you have access to your servers with the SA-admin users you poreviously created, edit the policy and add the option "Remove Members: Domain-Admins"

To make sure that the previously created users can only log on to their intended devices(Servers, DC, Clients):

Link this GPO to all OU with ComputerObjects and MemberServerObjects.

Link this GPO to all OU with ComputerObjects and DomainControllers.

Link this GPO to all OU with DomainControllers and MemberServerObjects.

Click here for more Information!