It really depends on what the service does which would dictate what the privileges are needed for the account. Some of these accounts can be slimmed down with respect to the domain-wide privileges they need, and some might not. If you want to hit me offline to discuss the particulars, I can advise you more on this. You are going in the right direction as a "risk-reduction" measure. Z
Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ From: [email protected] To: [email protected] Date: Mon, 9 Jan 2012 17:41:19 +0000 Subject: Domain Admin accounts We have several service accounts that are Domain Admin – is there any way to test for what permissions these accounts actually need short of “removing DA and see what happens?”. I’m guessing no… David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
