Service accounts are not members of the Domain Admins, Enterprise Admins or other highly-privileged security groups.
Topic
Microsoft Active Directory Domain Services security group memberships
Applicable to
all
History
Sep 2024
Service accounts are not members of the Domain Admins, Enterprise Admins or other highly-privileged security groups.
The existing control relating to service accounts being provisioned with the minimum privileges required and not being members of the Domain Admins security group, or similar highly-privileged security groups, was split into two separate controls. (ISM-1833, ISM-1940)
:A new control was added recommending that service accounts not be members of the Domain Admins, Enterprise Admins or other highly-privileged security groups.