The original post: /r/cybersecurity by /u/Equal-Swordfish3662 on 2024-04-12 11:52:44.

I have a question about permissions for admin users in a fairly large organization with over 10,000 users. Currently, we operate with one admin account per person, granting high privileges across various systems like Azure, Intune, and on-premises infrastructure (we are not global admins).

I understand the principle that privileged accounts should refrain from directly accessing regular user workstations to minimize security risks. Thus, my plan is to create separate accounts for different tasks. One account would handle domain-level activities such as managing devices in SCCM, Intune, and LAPS. This account would be configured to deny interactive and network logons, discouraging admins from using it for everyday tasks.

Another account would be designated for routine activities like reading and responding to emails, and creating documents.

However, I’ve encountered an issue regarding file transfers to users’ computers. Currently, admins simply access \computer1\c$ to transfer files, but under the proposed changes, they wouldn’t have access to this share since only the local admin account would be added to the local administrators group, and accessing shares using the local administrator account is not feasible.

I’m seeking insights on how others have addressed this challenge. My primary concern is the risk of privileged accounts being used on regular user workstations, potentially leaving admin credentials behind on those machines.