Provides the ability to grant time-bound administrative access on per-request bases.
Check out Temporary Group Membership! (Requires Privileged Access Management Feature to be enabled which can't be turned off later).
With the following command the newDA user will only be a Domain Admin for 20 minutes, then automatically be kicked out of the group:
Add-ADGroupMember -Identity 'Domain Admins' –Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)
JEA is a PowerShell v5 security feature that allows to delegate administration for anything that can be managed via PowerShell, decreasing risk of admin credential compromise.
Normalmente il PSSession è consentito solamente a dei local admins. With JEA it’s possible to create profiles and JEA endpoint to allow non-admin users to connect remotely to machines for doing specific tasks (i.e. I create a JEA profile and map it to a group of endpoints to only allow the Help Desk to do the reboot. The commands do not go and only the command that was set in the configuration file works.)
JEA endpoints have PowerShell transcription and logging enabled.
Microsoft “Local Administrator Password Solution” (LAPS) provides automated local administrator account management for computers in Active Directory.
A client side component installed on computers generates a random password, updates the LAPS password attribute on the associated AD computer account and sets the password locally.
The LAPS configuration can be managed through Group Policies providing the password complexity, length, change frequency and local account name.
LAPS attempts to remove Pass The Hash attacks in environments where users can log on to computers without domain credentials.
ms-mcs-admpwd) of computer objects in AD and access to them is controlled by ACLs (only DA and authorized users can access them)ms-mcs-AdmPwdExpirationTime is the passwords expiration date. When is reached LAPS client is forced to reset the password.