Domain Administrator Security: Implementing Separate Admin Accounts vs. Regular User Privileges in Active Directory


1 views

Your approach of maintaining separate accounts (XXXX\bpeikes for regular tasks and XXXX\adminbp for administrative work) aligns perfectly with Microsoft's own security recommendations. The principle of least privilege (PoLP) suggests users should operate with the minimum permissions necessary to perform their duties.

Microsoft's documentation explicitly recommends against daily use of Domain Admin accounts:

# PowerShell example showing proper account separation
$regularUser = "XXXX\bpeikes"
$adminUser = "XXXX\adminbp"

# Check current user context
if ((whoami) -eq $adminUser) {
    Write-Warning "You're logged in with admin privileges!"
    Write-Output "Consider using: Start-Process powershell -Verb RunAs"
}

Three typical approaches exist in enterprise environments:

  • Separate accounts (your approach, most secure)
  • Domain Admin group membership (common but risky)
  • Privileged Access Workstations (PAW, most enterprises)

Here's how to properly implement separate accounts in Active Directory:

# Create admin account with constrained privileges
New-ADUser -Name "adminbp" -GivenName "Admin" -Surname "BP" -SamAccountName "adminbp" 
-UserPrincipalName "adminbp@XXXX.com" -Path "OU=Admins,DC=XXXX,DC=com" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force) -Enabled $true

# Add to Domain Admins group
Add-ADGroupMember -Identity "Domain Admins" -Members "adminbp"

# Configure regular user with no special privileges
New-ADUser -Name "bpeikes" -GivenName "Bob" -Surname "Peikes" -SamAccountName "bpeikes" 
-UserPrincipalName "bpeikes@XXXX.com" -Path "OU=Users,DC=XXXX,DC=com" -AccountPassword (ConvertTo-SecureString "UserP@ssw0rd456" -AsPlainText -Force) -Enabled $true

When implementing separate accounts:

  1. Never use Domain Admin accounts for email or web browsing
  2. Implement LAPS (Local Administrator Password Solution)
  3. Configure JEA (Just Enough Administration) where possible
  4. Use PAWs for sensitive administrative tasks

For organizations currently using single accounts:

# Audit current Domain Admin usage
Get-ADGroupMember -Identity "Domain Admins" | 
Select-Object Name,SamAccountName,UserPrincipalName | 
Export-Csv -Path "DomainAdminsAudit.csv" -NoTypeInformation

# Migration script example
$users = Import-Csv -Path "DomainAdminsAudit.csv"
foreach ($user in $users) {
    $newAdminName = "admin_" + $user.SamAccountName
    New-ADUser -Name $newAdminName -SamAccountName $newAdminName -AccountPassword (ConvertTo-SecureString "TempP@ss123" -AsPlainText -Force) -Enabled $true
    Add-ADGroupMember -Identity "Domain Admins" -Members $newAdminName
    Remove-ADGroupMember -Identity "Domain Admins" -Members $user.SamAccountName -Confirm:$false
}

Implement these monitoring techniques:

# Create alert for Domain Admin logons
$query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[EventID=4624]] 
      and *[EventData[Data[@Name='TargetDomainName']='XXXX']]
      and *[EventData[Data[@Name='Membership']='S-1-5-32-544']]
    </Select>
  </Query>
</QueryList>
"@

# Create the event subscription
$subscriptionArgs = @{
    Name = "DomainAdminLogonAlert"
    Query = $query
    SourceIdentifier = "DomainAdminAccess"
    Action = {
        $event = $Event.SourceEventArgs.NewEvent
        $message = "Domain Admin account used: {0}" -f $event.Properties[5].Value
        Send-MailMessage -To "security@XXXX.com" -From "alerts@XXXX.com" -Subject "Domain Admin Activity" -Body $message -SmtpServer "mail.XXXX.com"
    }
}

Register-EngineEvent @subscriptionArgs

Your approach of maintaining separate standard user and admin accounts aligns perfectly with Microsoft's own Least Privilege Administrative Models. The security benefits are substantial:


# Example PowerShell to create admin account with constrained privileges
New-ADUser -Name "adminbp" -GivenName "Admin" -Surname "BP" -SamAccountName "adminbp" 
-UserPrincipalName "adminbp@XXXX.com" -Path "OU=AdminAccounts,DC=XXXX,DC=com" 
-AccountPassword (ConvertTo-SecureString "ComplexP@ssw0rd!" -AsPlainText -Force) 
-Enabled $true -PasswordNeverExpires $false -CannotChangePassword $false

Add-ADGroupMember -Identity "Domain Admins" -Members "adminbp"
Set-ADAccountControl -Identity "adminbp" -TrustedForDelegation $false

Persistent Domain Admin sessions create unnecessary attack surfaces. Consider these risks:

  • Credential theft via Pass-the-Hash attacks
  • Accidental privilege escalation through cached credentials
  • Malware executing with elevated privileges

Here's how to properly implement RunAs:


# Create Desktop shortcut for admin tasks
$Shell = New-Object -ComObject WScript.Shell
$Shortcut = $Shell.CreateShortcut("$env:USERPROFILE\Desktop\AdminConsole.lnk")
$Shortcut.TargetPath = "runas.exe"
$Shortcut.Arguments = "/user:XXXX\adminbp /savecred "mmc.exe %windir%\system32\dsa.msc""
$Shortcut.Save()

In larger organizations, we recommend:


# Group Policy for Admin Account Restrictions
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment:
- "Deny log on locally" = Domain Users
- "Allow log on through Remote Desktop Services" = Restricted Admin Groups

# PowerShell Just-In-Time Admin Access
Import-Module PIM
Enable-PrivilegedAccess -ResourceGroup "DomainControllers" -Role "Domain Admin" 
-Duration "2" -Reason "Scheduled maintenance"

Implement these controls to track admin account usage:


# Enable detailed auditing
auditpol /set /subcategory:"User Account Management","Detailed Tracking","Logon/Logoff" /success:enable /failure:enable

# SIEM query example for admin activity monitoring
index=windows (EventCode=4624 OR EventCode=4672) 
| stats count by user, host, _time 
| where match(user,"*admin*") 
| sort -_time