I have been reviewing security permissions on an on-prem AD security group that essentially grants members access to make administrative changes to firewall devices. As you would expect, membership of the group itself is limited to a smaller number of experienced engineers, however, the permissions on who could add a member to the group (or indeed remove) are quite substantial, and includes admin groups containing more junior/helpdesk types roles.
The officers in the more junior/helpdesk type roles would as part of their daily duties be performing regular account and group management activities, such as adding a member to a security group that grants access to a directory on a file server, for example. That level of access makes it perfectly valid, but amending group memberships for more ‘high risk’ security groups such as those that grant members firewall admin rights is not really acceptable.
In those types of scenarios, what is generally considered best practice to limit the ability of who can amend the firewall security group members to just specific IT admins, e.g. domain admin members (which is more aligned with the members of the group), without having to make wholesale changes to the directory structure. it would essentially be a case of isolating ‘high risk’ security group management permissions and differentiating their permissions to ‘lower risk’ security groups. I presume this is quite a common situation.
Create a security group with only the member/groups who you want to have permission to add/remove members to the firewall security group. After that use powershell overwrite whoever is already there to add/remove users to the firewall group. For example:
Set-ADGroup "nameofyourfirewallgroup" -Managedby "nameofyournewlycreatedsecuritygroup"
Microsoft 365 Docs > Windows > PowerShell > Reference > ActiveDirectory > Set-ADGroup
You can also enable auditing so that you can see each time members are added and removed from groups. Although auditing would be useful to look for such addition events, but the ideal scenario would be to limit who can add themselves/or another member in. I basically want to control it in a similar way to domain admins membership.