If you work in Information Technology already, securing Windows Active Directory Domain Administrator, or Domain Admin, accounts may seem like an intuitive thing to do. It does to me, however, I’ve discovered that often times, this understanding is not widely held outside of the the IT community. I wanted to write this post to frame the issue in a way that a non-technical audience could understand it.
First of all, what are Domain Admin accounts? The simplest definition, is that they are the keys to the castle. If you have a larger environment, with multiple domains, then there are Enterprise Administrator accounts, which are the keys to multiple castles, but that is outside the scope of this post. These special accounts have access to everything. They have the supreme ability to create, modify, view, and delete every digital asset on the domain with very few exceptions. In the case of exceptions, it is very likely that the Domain Admin account can create the access to those assets that it doesn’t already have access to.
So, who should have these accounts. Best case, the personnel who are given out of the box Domain Admin accounts should be extremely limited. There should not be many environments that have legitimate reasons to have more than two or three Domain Admin accounts. Now the reality of the situation is that this is rarely the case, for a number of reasons, mainly because it is easier to use a Domain Admin account to accomplish a task than it is to create, and use, an account that has been given specific privileges to accomplish said task. This problem is exasperated because in my experience, it is somewhat rare to find people who are solid enough in their Active Directory knowledge to create such accounts, and know what privileges are needed to perform certain tasks. It is a perception that there is either a limited account, or a Domain Admin account, but nothing in between.
This brings me to why Domain Admin accounts are necessary. I won’t go to deep into this because it would get more complicated than I intend to right now. As mentioned above, the Domain Admin account has the ability to create, modify, view, and delete other things. This is necessary in the administration of the Domain, but it is important to also realize that for most routing tasks, such as creating user accounts, or adding servers and computers, and even administering servers and computers, the Domain Admin account is not necessary. These tasks can be performed by creating special accounts that are then given the privileges to perform these tasks. Using the Domain Admin account to create these special accounts, or a group with the same privileges, would represent a legitimate use of the Domain Admin account.