from the results of a recent pen test, despite us having a domain password policy that adheres to Microsofts own recommendations, the security testers flagged up some powerful accounts (domain admins) with easily compromised passwords. Whereas we have strengthened these as per their recommendations, these accounts had been subject to a GPO that denies local logon to any system .they appear to link to service accounts which clearly shouldn't be domain admins but were setup by an old 3rd party who managed IT support.
My question is, out of curiosity, is that our security team seem to think the fact these accounts are prevented form local logon, vastly reduces the risk if these accounts were compromised. what is your view, I presume there are still other methods that could be used if these accounts were compromised, to access systems and resources (e.g perhaps used to map a network drive to a system with sensitive info). or do you agree with our security team that the fact the accounts are subject to GPO that denies local logon - that therefore reduces the impact if someone guessed these supposedly weak passwords.