HI!
I´m working on a procedure for managing service accounts.
I´m pretty sure of in wich order you should use different account types in order for implementing the "principle of least privilege".
In certain situations you are forced to use a domainaccount, what I can´t figure out is if there is a point in removing the domainaccount from the "Domain Users"-group?
I thought of this since I´m not sure on to wich resources "Domain Users" directly or indirect by local "Users"-group have been granted access and by creating a completely new group and making it the primary for the account, and then removing membership
in "Domain Users" I would take back that control for the service accounts.
However, I found out that in Windows computers the group "NT AUTHORITY\Authenticated Users" are member of the local "Users"-group. So, if an account in the domain (not member of "Domain Users") is considered as a member of the local NT AUTHORITY\Authenticated
Users, I guess there is no point in doing this, or is there? They will end up in the local "Users"-group on every system anyway.
Sincerely
Peter
↧
Service accounts and NT AUTHORITY\Authenticated Users
↧