Enforcing the 'Least Privilege' Principle through Active Directory, OUs, GPOs, and Group Policy Filtering

Microsoft Windows 2000 includes a set of new features. Some of these features give administrators better control over servers, workstations and users. The addition of Active Directory (AD) and Group Policy Objects (GPO) significantly decreases the amount of overhead associated with administering and maintaining a properly secured environment. The enhancements lead to a consistent look and feel, better distribution of resources, proper user rights assignments, etc... This is evident by the granular control exhibited by objects, which include users, groups, and workstations among others. This document presents an approach to further enforce the 'Least Privilege' principle by combining Active Directory GPOs and Group Policy filtering techniques. This principle states that users should be given the minimum amount of privileges to perform their job. A simple scenario follows to emphasize the concepts and processes required to properly accomplish this task. Basic understanding of Active Directory and GPOs is assumed.