Domain Admins

General Mitigations

• Do not allow or limit login of DAs to any other machine other than the Domain Controllers

• If logins to some servers are necesarry, do not allow other administrators to login to that machine

• Never run a service with Domain Admin privileges as it makes many credential theft protections useless in case of a service account

Temporary Group Membership

• Temporarily add user to a group

• Requires Privileged Access Management Feature to be enabled which can't be turned off later

Add-ADGroupMember -Identity 'Domain Admins' -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)