It would be an understatement to say that welcoming a new member of the IT staff on board by adding them to the Active Directory Domain Admins group is a potential security hazard. And no matter what the longevity of a staff member or the seniority of their position, granting permanent access to privileged AD groups is always a bad idea.
But in spite of the well-understood risks of using administrative privileges, best practice advice from security experts, and the work Microsoft has undertaken to make Windows easier to use as a standard user, organizations often persist in granting administrative privileges to IT staff to expedite system access. However, with a little planning, Active Directory can be effectively managed without domain admin privileges.
It’s worth remembering that there’s no ‘local administrator’ account on a domain controller, and that access to Active Directory can be separated from administrative access to domain controllers. To get the equivalent of local administrator privileges on a domain controller, a user must be granted domain administrative privileges, which also gives unrestricted access to AD and to all DCs in a domain.
In this white paper, BeyondTrust looks at best practices on how to manage access to domain controllers (DCs) and Active Directory (AD) without permanently assigning domain administrative privileges to IT staff.