Jump to content

Microsoft AD Service Accounts / Best Practices?


Recommended Posts

Dear all,

First off: I do not manage or create Microsoft Active Directory environments. I care about security components from Firewalls to SIEM/SOAR. So I don't need to get too technical about the configuration on a DC here.

However, I often need to ask customers to create or share credentials for some service accounts that need to be embedded in security components, such as:

  • An account which enables LDAP(s) queries
  • An account that grants access to the DC's Windows Event Logs
  • An account that may install software on an endpoint device (remotely)
  • A possibility for a (IT) user to change the IP address of a windows device manually (which currently results in local admin users)
  • Anything else I forgot about but you know?

Of course, I always want to keep a least privilege principle. But as I just ask the customers to create an account which can do these tasks, it often results in some kind of admin user (as these are server managers and not security staff).

Now, my question/discussion entry would be:

What should I tell my customer to pay attention to when creating these kinds of accounts? What are common pitfalls on AD account creation?


Thanks already for your input!


Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...