Giving Users Domain Administrator Access is a VERY Bad Idea

By Published On: April 30, 2022

We often get the request – “Can one key person or lots of users have Domain Administrator rights to the network?”

This document looks to detail the reasons why this tends to generate a number of challenges for your organization.

First, let’s give you an analogy… If a person (no matter how well-intentioned) walks around all day, every day holding a lit candle, trying to be sure not to: drop it, burn their hand (with the hot wax), not burn anyone else, and not set anything on fire, sooner or later…it’s going to end badly, the only question is: how badly?

The exact same issue occurs with giving any users domain administrator rights…it’s going to end badly.

Why network security is important:

  • Accidents

We deal with the results of wrong clicks, typos, and slips for our clients every day. With normal rights, this can affect either just that user or the common areas (on the network) that the user shares with others. With domain administrator rights – the effects can be dramatically larger. Things like: affecting secure areas on the network, bringing the network down, removing the ability to access files (either locally or on the network), dramatically reducing network performance, and locking out entire sections of the network from being backed up.

  • Fooled

When a user with domain administrator rights is fooled into clicking on an email with some sort of infection mechanism, or just visits an infected website the risk jumps from their computer (and maybe files on the server) to a complete meltdown of all servers and workstations on the entire network often with Ransomware. Many of today’s malware include multiple attack vectors – so the more files and access they have (via domain administrator rights) once they get in the door, the more damage they can do.

  • Good Intentions / Bad Consequences

When a user uses their Domain Administrator permissions to grant/change file/folder rights or modify the settings, like encryption or compression they often expose the organization to risks that are only uncovered when a second event (sometimes much later) occurs. These secondary events often involve either a failure or security issue – like needing to recover files (which now can’t be recovered), a user departure (on less than agreeable terms), or a security issue from outside (like Ransomware or bad actor).

  • The “Typhoid Mary” issue

When someone has domain administrator rights, their ability to auto-run apps during logon and insertion of things like USB sticks goes up. Often malware includes an auto-reinfection mechanism to reinstall itself after removal. If you add to that a roaming characteristic (where they touch multiple computers or even servers) – you end up with a “Typhoid Mary”, who spreads infection(s) throughout the enterprise.

  • Departures

When an employee is looking to leave an organization, domain administrator rights can generate a significant issue. The issue can occur for the user who actually has domain administrator rights or for a user/folder whose access has been previously “tuned” by the actual user with administrator rights. In both cases, it significantly increases the level of damage. Here are the two ways we’ve seen this play out:

The departing user deletes important info (often that the organization’s management didn’t realize they had access to) as part of the departure.

The user copies the data (often that the organization’s management didn’t realize they had access to) and brings it with them – for their new job or other less than honorable intentions.

  • Cleanups

When issues are discovered based on changes made or damage done using the domain administrator rights, uncovering and resolving all the areas that were affected can be a very time-consuming process. This is particularly true in the non-malicious cases, where someone was being helpful/expedient and made changes throughout the Infrastructure over time, and honestly can’t remember where the changes were made.

About Partners Plus

Managed IT Services That Do the Work for You

Partners Plus began in 1991 as an outsourced IT department after working as the Director of Programming and a Consultant for six years. For 30+ years now, we have been 100% committed to ensuring small- and medium-sized business owners have the most reliable and professional virtual CIO in the Delaware Valley. Our dedicated team of professionals will solve your IT nightmares quickly and without confusion on your part.

Our customer-specific memberships deliver your needs without overstepping your budget boundaries. From cloud services and data backups to ransomware prevention and Dark Web monitoring, Partners Plus is here to work with you and your expert company, dependable outsourced IT support and security.

Partners Plus has locations and services the following areas:

Managed IT Services in PhiladelphiaManaged IT Services in DelawareManaged IT Services in Malvern

Bill Hogan - Partners Plus, Managed IT Services and IT Support

Bill Hogan is the Owner and President of Partners Plus. He has 40 years of experience in the technology industry, specifically IT support services. Bill has spoken at seminars all over the country about network management. Partners Plus was selected by PHL17 as the best Computer and Information Technology Support Company in the greater Philadelphia area in 2018.

Safe and Secure Information Technology will cover topics like ransomware prevention, solid-state drives, and chip shortage impacts.

Safe and Secure Information Technology

Subscribe to our Weekly Cybersecurity Tips