Service accounts & domain admin privileges

Over the last few weeks I've had a good couple of lessons around service accounts and domain admin privileges (and who should have them).  What came to mind was a kind of cascading failure caused by not following best practices.

  1. Management team finally authorized the changes the windows admin had asked for - the removal of all 'regular' users from the Domain Admins group along with the creation of 'admin' accounts for people that required them.
  2. Users were removed from Domain Admins group.  Windows admin did not communicate this to anyone.  Management did not communicate to users that this was going to happen.
  3. Random things began to break.  Small in-house-programmed websites stopped working, workflows were disrupted, ticket queue built up, etc.
  4. After spending a lot of hours trying to figure out why these things were breaking, someone happened to mention that 'oh, admin removed domain admin privs for everyone'.
  5. Light bulb.
  6. Confirmed that each and every issue was caused by this change.
Further digging revealed that the custom sites had been programmed to just take the logged on user's account info.  The sites would then access AD with abandon - something that only Domain Admins can do (in this case anyways).  No Domain Admin, no AD access.  

This all stemmed from two basic best practices for AD:
  1. Never give your daily user accounts domain admin rights.
  2. Always create a service account when an application or service requires access to AD authentication.  Assign the service account a REALLY complex password and set the password to never expire.  (In stricter environments this would probably not fly, but for the majority of companies this would be secure enough)
So the lesson is follow those best practices as you are able to.  Sometimes management will rather give everyone freedom and accept the risks involved rather than lock things down, and you're stuck.  That's okay, you've brought the issue before them and they can make an informed decision - it's their job to make these decisions!  Some would harbour resentment (to some degree natural) with such a decision, but there is no point in holding a grudge.  Bring the issue up as often as you can, and maybe the squeaky wheel will get the grease.

Comments

Popular posts from this blog

DFSR - eventid 4312 - replication just won't work

Fixing duplicate SPNs (service principal name)

Logstash to Nagios - alerting based on Windows Event ID