I'm currently working on tightening security by reviewing which accounts are members of the 'Domain Admins' group in our Active Directory. We have a lot of these accounts, mostly service accounts that perform specific tasks such as reading from a SQL database on a server named sqldb01 and running a script that exports data to an Excel file on fileserver2.
These service accounts have complex passwords that never expire, and we securely store them in our password safe. Normally, we assign these accounts the necessary database access and file permissions on the fileserver, but it seems they only work if we make them domain admins, which we want to avoid.
I'm looking for guidance on how to accurately determine the permissions needed for each service account. Ideally, I want a way to track the actions of these service accounts during their operations to troubleshoot where they get blocked and understand why.
4 Answers
There's a misunderstanding here. No service account should ever need domain admin rights, so let's avoid that route! Instead, focus on giving precise permissions based on the service's executing context. Ideally, try using a Group Service Managed Account (GSMA) for this. If not possible, make sure to set permissions for the service’s user context correctly.
Hmm... not sure what else to add, but I feel for you; permission issues can get really complicated!
For the task you've described, the service account should need read and connect permissions on the SQL database. Also, don’t forget that it needs write access on the specific Excel file to export data properly. This is the essential starting point.
Just a heads up, depending on the application, your service account might need access to local folders as well. Granting local admin privileges to the service account can be a quick fix, although it’s not the best for security. Also, check if it needs access to specific files or folders on other servers to avoid issues.
We already have those permissions set up, but it still doesn’t work. It’s confusing because it seems like there’s always some permission missing unless we give the account domain admin access, which isn’t what we want to keep doing. I suspect it might be getting hung up due to permissions we just can’t pinpoint.