HOW-TO GUIDE | IDENTITY SECURITY
Updated 12 min read

My Service Account Has Domain Admin Rights. How Do I Remove Them Without Breaking Production?

68%
Of Active Directory environments have at least one service account with Domain Admin rights (Semperis, 2025)
100%
Of Kerberoasted service accounts with DA rights that provide an attacker with full domain compromise if cracked
3
Phases required for a safe least-privilege migration: discovery, permission mapping, and staged rollout
120 chars
Minimum length for a gMSA password: auto-rotated, never known to humans, eliminates the Kerberoasting risk

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The service account has had Domain Admin rights 'since before anyone can remember.' It probably got DA because the software installation guide said to run setup as a domain admin, or because the person who set it up wanted to avoid permission errors. Now it runs a critical service, and nobody knows exactly what it accesses.

Just removing DA will almost certainly break something. But leaving DA in place means every Kerberoasting scan that enumerates the account gives an attacker a path to full domain compromise if they crack the hash.

The safe path requires three phases, each of which is a prerequisite for the next.

Phase 1: Discovery: Find Out What the Account Actually Does

Before touching any permissions, you need to know exactly what the service account accesses. Assume the documentation is wrong or missing: verify against actual usage.

Enable account audit logging for the service account:

In Active Directory, configure detailed auditing for the specific account:

# Find the service account's DN
Get-ADUser -Identity "svc-sql" -Properties DistinguishedName

Then enable 'Audit Directory Service Access' in your Group Policy so any object accessed by this account is logged. This is broad and generates volume: run it for 5-7 business days to capture a full operational cycle including any weekly or monthly scheduled tasks.

Review Windows Security Event ID 4624 (logon) for the account:

# On each domain controller and server where the account might be used
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
    Where-Object { $_.Properties[5].Value -eq 'svc-sql' } |
    Select-Object TimeCreated, @{N='LogonType';E={$_.Properties[8].Value}}, @{N='SourceIP';E={$_.Properties[18].Value}}

This tells you: which machines the account is authenticating to, what logon type (interactive vs. network vs. service), and at what times. Build a list of every machine and service that uses this account.

Identify what the service actually does with DA rights:

For each machine identified:

  1. What service or application runs as this account?
  2. What does that service do: read files, write to a database, query AD, manage other services?
  3. Does that function actually require DA, or was DA given because the setup guide said so?

Most service accounts with DA rights were given DA for one of three reasons:

  • The installer required domain admin credentials (but the service itself does not)
  • Someone gave DA to avoid debugging specific permission errors during setup
  • The service was migrated from a less secure environment and DA was never revisited

Common operations that do NOT require Domain Admin:

  • Reading from a SQL database (requires database-level read rights, not AD rights)
  • Writing log files to a file share (requires share/NTFS permissions)
  • Querying AD for user attributes (requires read access to specific OU, not DA)
  • Running scheduled tasks (requires local admin on the target machine, not DA)

Phase 2: Map Minimum Required Permissions

For each operation you discovered in Phase 1, determine the minimum permission required.

Common permission mappings:

OperationWhat was grantedWhat is actually required
Read user attributes from ADDomain AdminRead access to specific attribute on target OU (delegated via ADUC)
Write to a file server shareDomain AdminShare permission: Change + NTFS: Modify on specific path
Run services on remote machinesDomain Admin'Log on as a service' right on specific machines via GPO
Query WMI on remote machinesDomain AdminRemote Management Users group on specific machines
Manage print spoolerDomain AdminPrint Operators on specific print servers
Backup files from serversDomain AdminBackup Operators on specific servers

Test minimum permissions without removing DA yet:

Create a new test account with only the minimum permissions you mapped:

New-ADUser -Name "svc-sql-test" -SamAccountName "svc-sql-test" -UserPrincipalName "svc-sql-test@domain.com" -AccountPassword (ConvertTo-SecureString 'ComplexP@ssw0rd!' -AsPlainText -Force) -Enabled $true

Grant this test account only the minimum permissions, then verify each operation works correctly using the test account in a non-production environment. This validation step is the difference between a smooth migration and an emergency rollback.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Phase 3: Staged Migration With Rollback Ready

Never remove DA from a production service account without a rollback plan. The rollback plan is simple: restore DA membership. Document the restore command before you execute the migration:

# Rollback command (have this ready before removing DA)
Add-ADGroupMember -Identity "Domain Admins" -Members "svc-sql"

Migration steps:

  1. Grant the minimum permissions to the existing svc-sql account (do not remove DA yet). Add the specific delegated permissions, share permissions, and group memberships identified in Phase 2.

  2. Restart the dependent services and monitor for errors for 48 hours. Watch application event logs on every machine where the service runs. Any 'Access Denied' or authentication errors surface the permissions you missed.

  3. After 48-72 hours with no errors, remove the Domain Admins group membership:

Remove-ADGroupMember -Identity "Domain Admins" -Members "svc-sql" -Confirm:$false
  1. Force a Kerberos ticket refresh for the service account: existing TGTs carry the old group memberships for up to 10 hours. Force a logoff or service restart on each machine where the account is used.

  2. Monitor for 48 more hours with the DA membership removed. This is the critical window: any missed permission surfaces as an error.

  3. If any error appears: restore DA immediately using the rollback command, identify the missed permission, add the specific minimum permission, and repeat the removal after a 24-hour wait.

After successful migration: convert to a Group Managed Service Account (gMSA).

A gMSA is an AD-managed service account with a 120-character randomly generated password that rotates automatically every 30 days. No human ever knows the password, eliminating the Kerberoasting risk and the password management burden entirely.

# Create gMSA
New-ADServiceAccount -Name "gMSA-sql" -DNSHostName "gMSA-sql.domain.com" -PrincipalsAllowedToRetrieveManagedPassword "SERVER01$", "SERVER02$"

# Install on target server
Install-ADServiceAccount -Identity "gMSA-sql"

# Configure the service to use gMSA (use 'domain\gMSA-sql$' as the account, blank password)

The gMSA replaces the original service account permanently. The old account can then be disabled and eventually deleted after a 30-day observation period confirming no dependencies remain.

What to Do If the Service Genuinely Requires Domain Admin

Occasionally, an application legitimately requires domain-level privileges: AD management tools, identity governance platforms, and some backup solutions have legitimate reasons to access AD objects broadly.

If after Phase 1 discovery you find the service actually requires broad AD access, the remediation is not 'give it DA and accept the risk.' The remediation options are:

Option 1: Delegate specific AD permissions rather than using DA group membership. Even if the service needs to read and write many AD objects, it probably does not need all DA capabilities (like adding members to privileged groups or modifying schema). Use AD delegation to grant exactly what is needed without DA group membership.

Option 2: Use Microsoft Entra ID (if applicable). Modern identity governance platforms often have Entra ID connectors that operate with service principal permissions rather than on-premises DA rights.

Option 3: Migrate to an AD Tier 0 account with hardened controls. If DA is genuinely required, the account should be a Tier 0 privileged account subject to Privileged Access Workstation (PAW) requirements: only used from hardened PAW machines, MFA required for any interactive use, all interactive sessions logged and reviewed.

The goal is that no service account with broad AD access also has a Kerberoastable SPN registered. If DA is genuinely required, at minimum remove the SPN so the account cannot be targeted via Kerberoasting: Set-ADUser -Identity "svc-ad-mgmt" -ServicePrincipalNames @{Remove="MSSQLSvc/server:1433"}

The bottom line

Removing Domain Admin from an over-privileged service account safely requires three phases: discover what the account actually accesses by reviewing 5-7 days of authentication logs, map each access requirement to the minimum delegated permission, and migrate with the rollback command documented before you execute. Never remove DA without completing discovery: missed permissions cause production outages. After successful migration, convert to a Group Managed Service Account (gMSA) to eliminate the Kerberoasting risk permanently.

Frequently asked questions

How do I safely remove Domain Admin from a service account?

Follow three phases: discovery (enable authentication logging for the account for 5-7 days to identify every resource it accesses), permission mapping (determine the minimum delegated permissions for each discovered access), and staged migration (grant minimum permissions first, monitor for 48 hours, then remove DA with the rollback command ready). Never remove DA before completing discovery.

What is the risk of a service account having Domain Admin rights?

A service account with Domain Admin rights and a registered SPN (Service Principal Name) can be targeted via Kerberoasting: an attacker requests the account's Kerberos service ticket and cracks the password offline. If the password is cracked, the attacker gains full Domain Admin access. The risk compounds because service accounts often have weaker passwords and less frequent rotation than human accounts.

What is a Group Managed Service Account (gMSA) and when should I use it?

A Group Managed Service Account (gMSA) is an Active Directory account type where the password is automatically managed by AD and rotated on a configurable schedule (default 30 days). The password is 120 characters, randomly generated, and never visible to administrators. gMSAs are the correct replacement for human-managed service account passwords in Windows environments: they eliminate password rotation burden, enforce complex passwords, and remove the risk of credential reuse. Use gMSAs for any service running on Windows servers where the service supports gMSA authentication (most Microsoft services, SQL Server, IIS application pools).

How do I find all service accounts in Active Directory?

Service accounts are identified by several characteristics: descriptions containing 'service,' 'svc,' or application names; SPNs (Service Principal Names) registered to the account (Get-ADUser -Filter * -Properties ServicePrincipalName | Where-Object {$_.ServicePrincipalName -ne $null}); passwords set to never expire; and the account being a member of administrative groups. Run: Get-ADUser -Filter {ServicePrincipalNames -like '*'} -Properties ServicePrincipalName, PasswordNeverExpires, MemberOf to identify Kerberoastable accounts with their group memberships.

What is the minimum permission set to grant a service account that currently has Domain Admin?

The answer is application-specific, but the discovery process is the same for all: review the account's 4624 logon events for the past 7 days to identify which servers it authenticates to, then for each server check what the account accesses (Event ID 4663 for file access, 4662 for AD object access, 5145 for share access). Map each access type to the minimum permission: file server access requires NTFS read/write on the specific share, not DA; SQL Server access requires a SQL login with specific database permissions, not DA; domain object access requires delegated permissions on the specific OU, not DA. For services that require replication rights or other AD-level access, use fine-grained delegation via DSACLS rather than Domain Admin group membership.

How do I make the business case to the application team for removing Domain Admin from their service account?

Application teams resist service account privilege reduction because they view it as a security team problem that creates risk for their application availability. The argument that moves application teams is not security rhetoric: it is shared accountability framing paired with a concrete failure scenario. Start by explaining what happens to the application team specifically if the service account is Kerberoasted: an attacker who cracks the hash gains Domain Admin access to the entire environment, and the incident response investigation will identify their application's service account as the entry point for a domain-wide breach. That creates significant organizational visibility for the application team in the wrong context. Then make the migration practical by committing to do the discovery work yourself and delivering a specific list of permissions to replace DA, rather than asking the application team to figure out what they need. Offering to do a parallel test in a staging environment before any production changes removes the main technical objection. Frame the engagement as helping them migrate from an account configuration that puts them at risk to one that does not, rather than as a security audit finding they need to remediate. Set a reasonable timeline tied to a business milestone (the next application release, the next quarterly patch window) rather than demanding immediate action. Application teams that understand the specific risk to their service and have a low-friction migration path will cooperate: those who receive a security ticket with no support and an aggressive deadline will escalate and delay.

Sources & references

  1. Microsoft: Service Account Security Best Practices
  2. Microsoft: Group Managed Service Accounts
  3. CIS Microsoft Windows Server Benchmark

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.