{"id":61,"date":"2021-12-06T13:39:21","date_gmt":"2021-12-06T13:39:21","guid":{"rendered":"https:\/\/12stick.de\/?page_id=61"},"modified":"2026-05-06T07:35:48","modified_gmt":"2026-05-06T07:35:48","slug":"how-to","status":"publish","type":"page","link":"https:\/\/www.12beAdmin.com\/?page_id=61","title":{"rendered":"Least Privilege Scenario: Recommended"},"content":{"rendered":"\n<h5 class=\"wp-block-heading\"><strong>Working with 12beAdmin:<\/strong><\/h5>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create groups that we can use for AD Delegation. I expect you to be familiar with RBAC (Role Based Access Control). <\/li>\n\n\n\n<li>Create 2 User accounts for each Admin of your company. Where the userpart isidentical but the ending is something you can identify for administrating the TIER, like: \n<ul class=\"wp-block-list\">\n<li>.CLI and .SRV <\/li>\n\n\n\n<li>.002 and .001 <\/li>\n\n\n\n<li>.cli and .ad <\/li>\n\n\n\n<li><em>MyName.c02<\/em> and <em>MyName.<\/em>s01<\/li>\n\n\n\n<li> &#8230;<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Run 12beAdmin with the higher priviledged user Account. Do not use the account, you want to be a member of the <em>%computername%-Admins<\/em> group. That would be a &#8222;self elevation&#8220; and that could be exploid be an attacker. <br><\/li>\n\n\n\n<li>Delegate permissions in AD on OU Level to add members to an existing group and reset the password\n<ul class=\"wp-block-list\">\n<li><em>dsAcls.exe &#8222;$GroupPath&#8220; \/I:S \/G &#8222;*yourACgroup*:RPWP;member;group&#8220;<\/em><\/li>\n\n\n\n<li><em>dsAcls.exe &#8222;$UserPath&#8220; \/I:S \/G &#8222;*yourACgroup*:CA;Reset Password;user&#8220;<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h5 class=\"wp-block-heading\">Bulk Creation of Admin Groups for each Computer<\/h5>\n\n\n\n<ul class=\"wp-block-list\">\n<li><em>dsAcls.exe &#8222;$GroupPath \/I:S \/G &#8222;*yourACgroup*:GA;;group&#8220;<\/em><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Working with 12beAdmin: Bulk Creation of Admin Groups for each Computer<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-61","page","type-page","status-publish"],"_links":{"self":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/61","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=61"}],"version-history":[{"count":19,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/61\/revisions"}],"predecessor-version":[{"id":298,"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=\/wp\/v2\/pages\/61\/revisions\/298"}],"wp:attachment":[{"href":"https:\/\/www.12beAdmin.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}