Closed c3rberus closed 5 months ago
ryannewington
commented
6 months ago Hi @c3rberus
Yes, using a JIT role for domain admins is the way to do this.
Note, the additional steps needed to assign permissions to JIT into a protected group
https://docs.lithnet.io/ams/help-and-support/support-articles/kb000008
c3rberus
commented
6 months ago I went with the JIT role for my domain controller, that worked. Thanks for the reminder on AdminSDHolder.
This is such an easy to setup and very flexible tool by the way, it seriously improves the quality of life of an on-prem administrator :) Thank you!
ryannewington
commented
5 months ago Thanks for the kind feedback! I'm glad its helping!
How do you configure JIT for domain controller servers?
Following the instructions on https://docs.lithnet.io/ams/configuration/deploying-features/setting-up-jit-access we can create JIT based access for all domain joined servers except for domain controllers.
This is because you can't use Computer Configuration, Preferences, Control Panel Settings, Local Users and Groups to target the Administrators (built-in) group of a domain controller, it does not exist in the sense.
See here: https://learn.microsoft.com/en-us/archive/msdn-technet-forums/91294fdf-1565-4861-bf23-ba62937f1c11
The Administrators group of the domain controller is stored in Active Directory.,
When trying to apply the GPO that works on domain servers to domain controllers, the JIT-%ComputerName% group does not show up in the BUILTIN\Administrators group.
I guess computer JIT is not supported on DCs, and one would instead have to do role activation JIT to Domain Admins or similar?