Best Practices for Managing Domain Admin Accounts

Auditors often discover that domain administrator privileges are assigned to IT staff with abandon, and not strictly limited to the just-in-time (JIT) use on domain controllers (DCs) that Microsoft and security experts recommend. This is partly due to the default local group configuration on Windows clients, where domain administrators automatically become members of the local Administrators group when a device joins a domain, which in turn gives the local and remote access needed to support end users. In a similar vein, the same applies to domain member servers.

Check out this on-demand webinar on best practices for managing domain admin accounts to learn pro-tips to protect your organization from critical attacks.

The risks of using privileged domain accounts on devices that are not secured to the same level as DCs increases the chances that domain administrator credentials could be exposed. Windows caches credentials by default to authenticate users when a domain controller can’t be reached, including those of domain administrator accounts that have previously logged in to a device. As such, a compromised workstation or member server can also lead to stolen domain administrator credentials.

Additionally, running with local and domain administrator credentials can result in changes being made to critical systems accidentally, or by malicious processes running under the same account as the logged in user. Assigning domain administrator accounts to IT staff makes them a target, because hackers know that they can provide an entry point to not one, but multiple systems with the privileges needed to run exploits.

In this webinar on managing domain admin accounts, I’ll show you how clients and member servers can be configured so that IT staff can get the privileges and remote access required, without adding accounts to the Domain Admins group. I’ll also take a look at PowerShell JIT administration, and how access should be granted to DCs, so that the overall level of security can be improved without compromising usability.

Want to learn more? Watch this on-demand webinar now.

Russell Smith

Independent IT & Security Consultant and Author of "Least Privilege Security for Windows 7, Vista and XP (Packt)"

Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.

Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.