Domain Admins

General Mitigations

Do not allow or limit login of DAs to any other machine other than the Domain Controllers
If logins to some servers are necesarry, do not allow other administrators to login to that machine
Never run a service with Domain Admin privileges as it makes many credential theft protections useless in case of a service account

Temporary Group Membership

Temporarily add user to a group
Requires Privileged Access Management Feature to be enabled which can't be turned off later

Add-ADGroupMember -Identity 'Domain Admins' -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)

PreviousDetection & Defense NextArchitectural Changes

Last updated 2 years ago