Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • Best Practices for Managing Domain Admin Accounts current page
Link copied

Best Practices for Managing Domain Admin Accounts

Aug 3, 2015
Author:
Russell Smith Bio Pic 2021 Square
Russell Smith
IT Consultant & Security MVP
Blog banner default
Best Practices for Managing Domain Admin Accounts
Russell Smith Bio Pic 2021 Square
Russell Smith
IT Consultant & Security MVP

Auditors often discover that domain administrator privileges are assigned to IT staff with abandon, and not strictly limited to the just-in-time (JIT) use on domain controllers (DCs) that Microsoft and security experts recommend. This is partly due to the default local group configuration on Windows clients, where domain administrators automatically become members of the local Administrators group when a device joins a domain, which in turn gives the local and remote access needed to support end users. In a similar vein, the same applies to domain member servers.

Check out this on-demand webinar on best practices for managing domain admin accounts to learn pro-tips to protect your organization from critical attacks.

The risks of using privileged domain accounts on devices that are not secured to the same level as DCs increases the chances that domain administrator credentials could be exposed. Windows caches credentials by default to authenticate users when a domain controller can’t be reached, including those of domain administrator accounts that have previously logged in to a device. As such, a compromised workstation or member server can also lead to stolen domain administrator credentials.

Additionally, running with local and domain administrator credentials can result in changes being made to critical systems accidentally, or by malicious processes running under the same account as the logged in user. Assigning domain administrator accounts to IT staff makes them a target, because hackers know that they can provide an entry point to not one, but multiple systems with the privileges needed to run exploits.

In this webinar on managing domain admin accounts, I’ll show you how clients and member servers can be configured so that IT staff can get the privileges and remote access required, without adding accounts to the Domain Admins group. I’ll also take a look at PowerShell JIT administration, and how access should be granted to DCs, so that the overall level of security can be improved without compromising usability.

Want to learn more? Watch this on-demand webinar now.

Latest Posts
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
  • A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    May 26, 2026 A Security Researcher’s Guide to Understanding Copilot Studio AI Agents
    Blog
    3m
Related
  • Securing the Mission with BeyondTrust Identity Security for Government
    Nov 13, 2025 Securing the Mission with BeyondTrust Identity Security for Government
    Blog
    5m
  • Using Unified Endpoint Management (UEM) & Endpoint Security to lay the Groundwork for Digital Transformation
    Dec 4, 2020 Using Unified Endpoint Management (UEM) & Endpoint Security to lay the Groundwork for Digital Transformation
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.