Active Directory Security - Guidance on Account Review

Privileged Group Audit

Evaluate the membership of the Administrators, Domain Admins, Enterprise Admins and Schema Admins privileged groups. Any accounts in these groups should be distinct and unique from any other type of delegated account. Any service accounts (non-person login) in these groups should be justified by the domain owner. Microsoft recommends no more than two accounts in the Domain Admin group. Accounts should only be members of Enterprise Admins and Schema Admins for the duration those rights are needed and then removed when they are no longer needed. 

$privobjects = Get-ADObject -LDAPFilter "(admincount=1)"
Foreach ($n in $privobjects) {
    if ($n.ObjectClass -eq "Group") {
        $ppl = (Get-ADGroupmember -Identity $n.Name | Where-Object -Filter { $_.Objectclass -eq "user" }).name
        $pplString = $ppl | Out-String
        $pplString = $pplString -replace "`t|`n|`r", " "
        [PSCustomObject] @{
            PrivilegedGroup = $n.name
            User            = $pplString
        }
    }
}

Separation of IT Admin Accounts

IT administrators should use separate accounts for standard logins, workstation elevation, and domain administration. Ensure these accounts have separate passwords. For workstation elevation, Windows LAPS is preferred for local administrator account password security.

Service Accounts

Ensure non-person accounts are properly documented either within the user object attributes or in a separate document. We recommend using a distinct service account for each application or service so that least-privilege can be applied to each account and to aid in logging. Disable or remove service accounts that are no longer in use. Look at the LastLogonTimestamp on accounts to evaluate when the account was last in use. If there is uncertainty whether an account is active and the LastLogonTimestamp is greater than one year, we recommend disabling the account.