I’d like to learn more from SecFrame! Enter your email below

By David Rowe

4 reasons She Needs an Admin Account

When does anyone need an administrative account?

How can you find administrators on the horizon.  What universal rule can apply to force people into administrator accounts.  "If you are enacting change on a user, group, computer, or organizational unit you need an administrative account. "

The idea of an administrator account, an account used to perform administrative actions, had evolved. One iteration was create a separate administrator account for all domain admins. If this structure is not already in place in your environment, it should be adopted ASAP. It is a great idea to have in your environment. Now additions need to be added to this methodology.



 Privileged account Administrator

Today we will answer the "Who?" admin question:

Who needs an administrator account?


If you answer yes to any of the following scenarios, the person needs an administrator account.


Reason 1: Permissions are granted on user objects

User Permissions


Can this person affect anyone's:

  • Group membership
  • Manager
  • Security ACLS
  • Delete a user?
  • Create a user?
  • Disable a user?
  • Reset a users password?
  • Unexpire an expired password?
  • Change the smart card requirements?
  • Change the login script?
  • Set an SPN?



Reason 2: Permissions are granted on computer objects

Computer Permissions


Can this person perform these computer actions?

  • Create a computer
  • Deleted a computer
  • Set spn of a computer
  • Set Security ACLS on a computer?


Reason 3: Permissions are granted on group objects

Adding a User to a Group

Can this person perform these actions to any group?

  • Create a group
  • Delete a group
  • Change group membership
  • Add and remove users to a group
  • Change the group’s type
  • Change the ACLs on a group


Reason 4: Permissions are granted on OUs and Containers

Can this person perform these actions on organization units or containers?

  • Create / delete OUs
  • Link/unlink GPOs to OUs
  • Change precedence of GPOs
  • Change ACLs on an OU
  • Edit / delete a GPO
  • Change ACLs on a GPO


If the person answers yes to any of the items above for users, groups, computers, or containers, then this person needs an admin account.


If a person has access to any of the permissions above, there can be pathways for privilege access escalation. Extreme reading on priv escalation topic: An Ace up the sleeve


I placed a series of scripts in my git repo that assist in the creation of administrator accounts:


 In this folder of my ad tool repo are two scripts with a number of functions to assist in the provisioning and management of administrators in your domain. I will create a full guide on the admin creation scripts in later posts.



For the full ESAE series, please begin with: What is Microsoft ESAE?


For further reading on the admin account series, please visit the following links:

Who needs an admin account? This post!

What is an admin account? (What are the tiers?) 

When do you use an admin account? Todo

Where do you put an admin account?

Why do you use an admin account? Todo

How do you use an admin account? Todo


Interested in Learning More?


Tags: ESAE, Microsoft, Red Forest, Privileged Account Management

Interested in threat hunting?

BadBlood fills a domain with countless vulnerabilities. Every time it's run your domain is different! Download Badblood here.

Badblood download zip