Security risk of using a domain admin account full-time

If someone works as a system admin, and they are part of a group that is added as a local admin to most servers anyway (so they can manage the systems)...

How much more dangerous would it be to have 'domain admin rights'?  (which would eliminate the need to have to be a local admin)

Of course, having domain admin rights does mean there'd be some additional servers in the environment that someone could access should their login be compromised.

But I'm trying to gauge the risk of granting a person domain admin rights on their AD user account (which means they do everything as a domain admin, including when they are working on their own desktop machine)

(the jist of the question is, if the user has local admin to many systems anyway, how bad it is to just give them domain admin rights in terms of security risks. This is a trusted employee, so it's not about trust but about what if their account is compromised, would the damage be higher than now?)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Very bad.

Use domain admin account only to perform tasks related to domain.

You have Account operators, which can perform most of the user accounts tasks.

You have Server operators, to administer all aspects of all servers.

If you use domain admin account for daily tasks, you should know, that his password can be easily extracted from any computer in case of security breach.

Aim for environment, where most of the tasks are completed with regular accounts with proper group membership and proper delegation of control.

In my opinion, members of Domain Administrator should log on to Domain Controllers only.

If you need further explanation let me know.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Joseph MoodyBlogger and wearer of all hats.Commented:
My first thoughts: Very bad.

Need more - see Toni's reply. :)
VasAuthor Commented:
Thanks Toni, yes if you can please elaborate on how a user's password who has domain admin rights, can be comprised easier than a regular AD user who has local admin rights on a system (by way of being added to the local administrators group) as this is the current scenario.

Also what would be your recommendation for AD users who need to admin servers (such as manage IIS, move files around, edit registry, install applications, etc)
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Benjamin VoglarIT ProCommented:
After we know what kind of security hole Microsoft have (all local administrators can easily get all password used on a computer/server), we used a new strategy for the use of our user account.

We split computers and servers into zones:

1. Zone - Client Comuter (no user have local admin rights)  - administrators use desktop admin account (by default disabled)
2. Zone - Servers  - administrators use server admin account (by default disabled)
3. Zone - Domain Controler - administrators use domain admin account (by default disabled)

We have developed an application with which the administrator  must first enable a specific user account (ZONE 1, 2, 3) and the user account (zone1,2,3) after 16 PM will automatically disables.

I think that Toni woult write the same, so give him mark as ansfer.
Lee W, MVPTechnology and Business Process AdvisorCommented:
As stated, VERY BAD.  Do you know how many web sites get hacked?  LEGITIMATE SITES that SHOULD be safe, emails that look just too good and trick people into opening an attachment because the timing is right (they were expecting a UPS package, xerox scan, fax, etc. can be infected with malware that ends up embedding itself in your system.  If that malware is a worm, it could easily spread through your ENTIRE network.  Give them domain admin rights and your entire AD can need to be restored from backup or rebuilt.  Strictly speaking, NO USER - EVEN YOUR tech support people - should have domain admin (or even admin) rights to everything with their regular user accounts.  It's a huge potential security risk.  Give them a second account - if the tech is John Smith with a jsmith account, then make a jsmith-admin account - they have to use that when they need to perform ANY administrative task on any system.

The one exception I can sometimes agree too, admin rights on their own personal local machine - if they get infected and ONLY have admin rights on their system, then ONLY their system (and PERHAPS file shares they have access to) are in trouble.

With your users as domain admins, how would you like to get infected with Cryptolocker or a similar malware and have to pay the extortion to recover because your techs were too lazy to type the password and admin account name whenever they needed to do something administrative?
Toni UranjekConsultant/TrainerCommented:
OK. Giving users local administrators privilege is also very bad idea.

BUT, if domain admins do not log on to compromised workstation, you might be safe.

Installation of programs do reqiure local administrative privileges but in MS environments, there are other possibilities, like installing programs with GPO or use of SCCM.
David Johnson, CD, MVPOwnerCommented:
If you're hoping someone will say "not recommended but not a bad idea" you're looking in the wrong area. You should be looking at giving the least amount of privileges for the user to do the majority of there work. For situations that those privileges don't work then give just enough permissions to do that task for a limited amount of time. To do otherwise defeats the designed into the operating systems security measures and leaves a gaping wide security hole. Security and convenience work against each other you increase one and you decrease the other.
I wrote an article about safe support of workstations. - it could be used for (non-DC-) servers, too, and eliminates the need for accounts that are admins on more than one machine.

That said, you wrote, you want to "gauge the risk". You don't take risks with the domain admin account. It is only there for administering the domain.
Let's think about the following:
By default, Microsoft inserts that domain admin group in the local administrator group of any workstation or server that you join to a domain.
->Why would Microsoft design it that way?<-
They recommend not to use this account on workstations - why did they put it in the local administrator group, in the first place!? The answer is: convenience. It should help people that don't care about security and that are not capable of handling things securely to maintain things. I hope you will not feel you need that convenience.

There is no room for arguing - domain admins should not be used but for tasks that require domain admin credentials.
andreasSystem AdminCommented:
Agree to all above. VERY BAD idea.

Here we practice the rule, that domain admin acredentials are only ALOWED to be entered at the physical console of the server itself. (yes you need to walk to the rack and work there) Not even via RDP or other remote access.

This is for just one reason, if the machine where you come from to connect remotely to the server has malware, your domain admin account will be compromised, if this happens you NEED to restore your ENTIRE domain from backups or build again from scratch. BOTH is a nightmare and a worst case.

You really do not want to take this risk.
VasAuthor Commented:
Thanks all. I'll try to divy up the points since you were all helpful.

I wasn't asking because I wanted to do this by the way, I'm aware of such a situation somewhere and wanted to advise them on exactly why this isn't a secure way to do things.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.