Out of Control: Domain Administrators

by Russell Smith
01.12.2017   Auditing

Out of Control - Domain Administrators

Domain, Schema and Enterprise administrators hold the keys to your Active Directory (AD) kingdom, but it’s not uncommon to find organizations routinely issuing new IT hires with domain administrator privileges to expedite access for support purposes, or at best a proliferation of privileged accounts lying dormant and unaudited, giving attackers a potential way in to your systems.

If it’s a revelation that domain administrator privileges aren’t required to add, delete, or otherwise modify AD objects, then keep reading, because IT staff don’t need to be domain administrators to add devices to the domain or log in using Remote Desktop either. In fact, I can’t think of any reason why a member of IT staff should be permanently granted privileged access to AD.

Get Organized – OUs and Delegation

Applying the principle of least privilege to Active Directory is relatively easy to achieve with a well thought out administration model. Organizational Units (OUs) can be used to group AD objects, and in turn permissions delegated to ensure that IT staff can only modify and add objects to OUs that don’t contain privileged accounts.

Performing a risk assessment should and determining the likelihood that a compromised account might lead to a network breach can help you design a delegation model that improves security and also allows IT to perform everyday AD administration tasks without permanently assigned domain admin privileges.

The Delegation of Control Wizard in Active Directory Users and Computers (ADUC) provides a quick and easy way to grant IT staff permissions to perform administration tasks, such as creating new user accounts and adding them to groups. Group Policy can also be used to enforce group membership, reducing the probability that a rogue administrator might add themselves to a privileged group.

PowerShell Just-Enough-Administration

Windows PowerShell Just-Enough-Administration (JEA) provides IT support staff with remote access endpoints that are restricted to a limited set of modules, cmdlets and parameters. Additionally, JEA can be configured to provide elevated privileges without revealing the password for a privileged account.

JEA constrained endpoints provide a level of flexibility in Windows that enables least privilege security to be achieved more easily than ever before. If your IT staff aren’t up to speed with PowerShell, GUI tools can be created that use PowerShell to perform the actual tasks. Two examples of this are the Exchange Administration Center (EAC) and the Active Directory Administrative Center (ADAC), both of which use PowerShell to execute jobs in the background.

Read-Only Domain Controllers

Domain controllers (DCs) are often physically exposed in branch offices and sometimes it’s hard to avoid giving privileged access, especially if the device doubles up as a file server or performs some other function. Read-Only Domain Controllers (RODCs) don’t store password attributes in their copy of the AD database, but can be configured to cache passwords of users who regularly log in at the remote location. But not only that, and unlike writeable domain controllers, it’s possible to delegate local administrator privileges to the device without granting access to AD, which is ideal for general maintenance purposes.

Audit AD for Domain Administrators

Restricting the use of domain administrator privileges and implementing an administration model will significantly improve the security posture of Active Directory using the techniques outlined above and others. A good place to start is to audit Active Directory for use of domain administrative privileges and eliminate as many accounts as possible.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2017 Lepide Software Private Limited. All Trademarks Acknowledged.