My Service Account Has Domain Admin Rights. How Do I Remove Them Without Breaking Production?

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The service account has had Domain Admin rights 'since before anyone can remember.' It probably got DA because the software installation guide said to run setup as a domain admin, or because the person who set it up wanted to avoid permission errors. Now it runs a critical service, and nobody knows exactly what it accesses.
Just removing DA will almost certainly break something. But leaving DA in place means every Kerberoasting scan that enumerates the account gives an attacker a path to full domain compromise if they crack the hash.
The safe path requires three phases, each of which is a prerequisite for the next.
Phase 1: Discovery: Find Out What the Account Actually Does
Before touching any permissions, you need to know exactly what the service account accesses. Assume the documentation is wrong or missing: verify against actual usage.
Enable account audit logging for the service account:
In Active Directory, configure detailed auditing for the specific account:
# Find the service account's DN
Get-ADUser -Identity "svc-sql" -Properties DistinguishedName
Then enable 'Audit Directory Service Access' in your Group Policy so any object accessed by this account is logged. This is broad and generates volume: run it for 5-7 business days to capture a full operational cycle including any weekly or monthly scheduled tasks.
Review Windows Security Event ID 4624 (logon) for the account:
# On each domain controller and server where the account might be used
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
Where-Object { $_.Properties[5].Value -eq 'svc-sql' } |
Select-Object TimeCreated, @{N='LogonType';E={$_.Properties[8].Value}}, @{N='SourceIP';E={$_.Properties[18].Value}}
This tells you: which machines the account is authenticating to, what logon type (interactive vs. network vs. service), and at what times. Build a list of every machine and service that uses this account.
Identify what the service actually does with DA rights:
For each machine identified:
- What service or application runs as this account?
- What does that service do: read files, write to a database, query AD, manage other services?
- Does that function actually require DA, or was DA given because the setup guide said so?
Most service accounts with DA rights were given DA for one of three reasons:
- The installer required domain admin credentials (but the service itself does not)
- Someone gave DA to avoid debugging specific permission errors during setup
- The service was migrated from a less secure environment and DA was never revisited
Common operations that do NOT require Domain Admin:
- Reading from a SQL database (requires database-level read rights, not AD rights)
- Writing log files to a file share (requires share/NTFS permissions)
- Querying AD for user attributes (requires read access to specific OU, not DA)
- Running scheduled tasks (requires local admin on the target machine, not DA)
Phase 2: Map Minimum Required Permissions
For each operation you discovered in Phase 1, determine the minimum permission required.
Common permission mappings:
| Operation | What was granted | What is actually required |
|---|---|---|
| Read user attributes from AD | Domain Admin | Read access to specific attribute on target OU (delegated via ADUC) |
| Write to a file server share | Domain Admin | Share permission: Change + NTFS: Modify on specific path |
| Run services on remote machines | Domain Admin | 'Log on as a service' right on specific machines via GPO |
| Query WMI on remote machines | Domain Admin | Remote Management Users group on specific machines |
| Manage print spooler | Domain Admin | Print Operators on specific print servers |
| Backup files from servers | Domain Admin | Backup Operators on specific servers |
Test minimum permissions without removing DA yet:
Create a new test account with only the minimum permissions you mapped:
New-ADUser -Name "svc-sql-test" -SamAccountName "svc-sql-test" -UserPrincipalName "svc-sql-test@domain.com" -AccountPassword (ConvertTo-SecureString 'ComplexP@ssw0rd!' -AsPlainText -Force) -Enabled $true
Grant this test account only the minimum permissions, then verify each operation works correctly using the test account in a non-production environment. This validation step is the difference between a smooth migration and an emergency rollback.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Phase 3: Staged Migration With Rollback Ready
Never remove DA from a production service account without a rollback plan. The rollback plan is simple: restore DA membership. Document the restore command before you execute the migration:
# Rollback command (have this ready before removing DA)
Add-ADGroupMember -Identity "Domain Admins" -Members "svc-sql"
Migration steps:
-
Grant the minimum permissions to the existing
svc-sqlaccount (do not remove DA yet). Add the specific delegated permissions, share permissions, and group memberships identified in Phase 2. -
Restart the dependent services and monitor for errors for 48 hours. Watch application event logs on every machine where the service runs. Any 'Access Denied' or authentication errors surface the permissions you missed.
-
After 48-72 hours with no errors, remove the Domain Admins group membership:
Remove-ADGroupMember -Identity "Domain Admins" -Members "svc-sql" -Confirm:$false
-
Force a Kerberos ticket refresh for the service account: existing TGTs carry the old group memberships for up to 10 hours. Force a logoff or service restart on each machine where the account is used.
-
Monitor for 48 more hours with the DA membership removed. This is the critical window: any missed permission surfaces as an error.
-
If any error appears: restore DA immediately using the rollback command, identify the missed permission, add the specific minimum permission, and repeat the removal after a 24-hour wait.
After successful migration: convert to a Group Managed Service Account (gMSA).
A gMSA is an AD-managed service account with a 120-character randomly generated password that rotates automatically every 30 days. No human ever knows the password, eliminating the Kerberoasting risk and the password management burden entirely.
# Create gMSA
New-ADServiceAccount -Name "gMSA-sql" -DNSHostName "gMSA-sql.domain.com" -PrincipalsAllowedToRetrieveManagedPassword "SERVER01$", "SERVER02$"
# Install on target server
Install-ADServiceAccount -Identity "gMSA-sql"
# Configure the service to use gMSA (use 'domain\gMSA-sql$' as the account, blank password)
The gMSA replaces the original service account permanently. The old account can then be disabled and eventually deleted after a 30-day observation period confirming no dependencies remain.
What to Do If the Service Genuinely Requires Domain Admin
Occasionally, an application legitimately requires domain-level privileges: AD management tools, identity governance platforms, and some backup solutions have legitimate reasons to access AD objects broadly.
If after Phase 1 discovery you find the service actually requires broad AD access, the remediation is not 'give it DA and accept the risk.' The remediation options are:
Option 1: Delegate specific AD permissions rather than using DA group membership. Even if the service needs to read and write many AD objects, it probably does not need all DA capabilities (like adding members to privileged groups or modifying schema). Use AD delegation to grant exactly what is needed without DA group membership.
Option 2: Use Microsoft Entra ID (if applicable). Modern identity governance platforms often have Entra ID connectors that operate with service principal permissions rather than on-premises DA rights.
Option 3: Migrate to an AD Tier 0 account with hardened controls. If DA is genuinely required, the account should be a Tier 0 privileged account subject to Privileged Access Workstation (PAW) requirements: only used from hardened PAW machines, MFA required for any interactive use, all interactive sessions logged and reviewed.
The goal is that no service account with broad AD access also has a Kerberoastable SPN registered. If DA is genuinely required, at minimum remove the SPN so the account cannot be targeted via Kerberoasting: Set-ADUser -Identity "svc-ad-mgmt" -ServicePrincipalNames @{Remove="MSSQLSvc/server:1433"}
The bottom line
Removing Domain Admin from an over-privileged service account safely requires three phases: discover what the account actually accesses by reviewing 5-7 days of authentication logs, map each access requirement to the minimum delegated permission, and migrate with the rollback command documented before you execute. Never remove DA without completing discovery: missed permissions cause production outages. After successful migration, convert to a Group Managed Service Account (gMSA) to eliminate the Kerberoasting risk permanently.
Frequently asked questions
How do I safely remove Domain Admin from a service account?
Follow three phases: discovery (enable authentication logging for the account for 5-7 days to identify every resource it accesses), permission mapping (determine the minimum delegated permissions for each discovered access), and staged migration (grant minimum permissions first, monitor for 48 hours, then remove DA with the rollback command ready). Never remove DA before completing discovery.
What is the risk of a service account having Domain Admin rights?
A service account with Domain Admin rights and a registered SPN (Service Principal Name) can be targeted via Kerberoasting: an attacker requests the account's Kerberos service ticket and cracks the password offline. If the password is cracked, the attacker gains full Domain Admin access. The risk compounds because service accounts often have weaker passwords and less frequent rotation than human accounts.
What is a Group Managed Service Account (gMSA) and when should I use it?
A Group Managed Service Account (gMSA) is an Active Directory account type where the password is automatically managed by AD and rotated on a configurable schedule (default 30 days). The password is 120 characters, randomly generated, and never visible to administrators. gMSAs are the correct replacement for human-managed service account passwords in Windows environments: they eliminate password rotation burden, enforce complex passwords, and remove the risk of credential reuse. Use gMSAs for any service running on Windows servers where the service supports gMSA authentication (most Microsoft services, SQL Server, IIS application pools).
How do I find all service accounts in Active Directory?
Service accounts are identified by several characteristics: descriptions containing 'service,' 'svc,' or application names; SPNs (Service Principal Names) registered to the account (Get-ADUser -Filter * -Properties ServicePrincipalName | Where-Object {$_.ServicePrincipalName -ne $null}); passwords set to never expire; and the account being a member of administrative groups. Run: Get-ADUser -Filter {ServicePrincipalNames -like '*'} -Properties ServicePrincipalName, PasswordNeverExpires, MemberOf to identify Kerberoastable accounts with their group memberships.
What is the minimum permission set to grant a service account that currently has Domain Admin?
The answer is application-specific, but the discovery process is the same for all: review the account's 4624 logon events for the past 7 days to identify which servers it authenticates to, then for each server check what the account accesses (Event ID 4663 for file access, 4662 for AD object access, 5145 for share access). Map each access type to the minimum permission: file server access requires NTFS read/write on the specific share, not DA; SQL Server access requires a SQL login with specific database permissions, not DA; domain object access requires delegated permissions on the specific OU, not DA. For services that require replication rights or other AD-level access, use fine-grained delegation via DSACLS rather than Domain Admin group membership.
How do I make the business case to the application team for removing Domain Admin from their service account?
Application teams resist service account privilege reduction because they view it as a security team problem that creates risk for their application availability. The argument that moves application teams is not security rhetoric: it is shared accountability framing paired with a concrete failure scenario. Start by explaining what happens to the application team specifically if the service account is Kerberoasted: an attacker who cracks the hash gains Domain Admin access to the entire environment, and the incident response investigation will identify their application's service account as the entry point for a domain-wide breach. That creates significant organizational visibility for the application team in the wrong context. Then make the migration practical by committing to do the discovery work yourself and delivering a specific list of permissions to replace DA, rather than asking the application team to figure out what they need. Offering to do a parallel test in a staging environment before any production changes removes the main technical objection. Frame the engagement as helping them migrate from an account configuration that puts them at risk to one that does not, rather than as a security audit finding they need to remediate. Set a reasonable timeline tied to a business milestone (the next application release, the next quarterly patch window) rather than demanding immediate action. Application teams that understand the specific risk to their service and have a low-friction migration path will cooperate: those who receive a security ticket with no support and an aggressive deadline will escalate and delay.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
