When does anyone need an administrative account?
How can you find administrators on the horizon. What universal rule can apply to force people into administrator accounts. "If you are enacting change on a user, group, computer, or organizational unit you need an administrative account. "
The idea of an administrator account, an account used to perform administrative actions, had evolved. One iteration was create a separate administrator account for all domain admins. If this structure is not already in place in your environment, it should be adopted ASAP. It is a great idea to have in your environment. Now additions need to be added to this methodology.
Today we will answer the "Who?" admin question:
Who needs an administrator account?
If you answer yes to any of the following scenarios, the person needs an administrator account.
Reason 1: Permissions are granted on user objects
Can this person affect anyone's:
- Group membership
- Security ACLS
- Delete a user?
- Create a user?
- Disable a user?
- Reset a users password?
- Unexpire an expired password?
- Change the smart card requirements?
- Change the login script?
- Set an SPN?
Reason 2: Permissions are granted on computer objects
Can this person perform these computer actions?
- Create a computer
- Deleted a computer
- Set spn of a computer
- Set Security ACLS on a computer?
Reason 3: Permissions are granted on group objects
Can this person perform these actions to any group?
- Create a group
- Delete a group
- Change group membership
- Add and remove users to a group
- Change the group’s type
- Change the ACLs on a group
Reason 4: Permissions are granted on OUs and Containers
Can this person perform these actions on organization units or containers?
- Create / delete OUs
- Link/unlink GPOs to OUs
- Change precedence of GPOs
- Change ACLs on an OU
- Edit / delete a GPO
- Change ACLs on a GPO
If the person answers yes to any of the items above for users, groups, computers, or containers, then this person needs an admin account.
If a person has access to any of the permissions above, there can be pathways for privilege access escalation. Extreme reading on priv escalation topic: An Ace up the sleeve
I placed a series of scripts in my git repo that assist in the creation of administrator accounts:
In this folder of my ad tool repo are two scripts with a number of functions to assist in the provisioning and management of administrators in your domain. I will create a full guide on the admin creation scripts in later posts.
For the full ESAE series, please begin with: What is Microsoft ESAE?
For further reading on the admin account series, please visit the following links:
Who needs an admin account? This post!
When do you use an admin account? Todo
Why do you use an admin account? Todo
How do you use an admin account? Todo