Highly privileged accounts can cause a lot of damage and do a lot of good. There is a tricky balancing act between having IT users with too much privilege and not enough. On one hand, do their job and on the other, perform mischief (such as accidentally delete an OU which is a real example).
I have seen extremes from one out of business retailer who let every user have access to Active Directory Users & Computers (ADUC) to minimize help desk calls to a very successful international bank who has pretty much shut down ADUC in favor of a granular rights based self service delegation through empowerID.
That second use case is the one I want to talk about. Not just for ADUC but for all resources that you want to control access through RBAC (role based access control) or ABAC (attribute based access control). One of my go-to sayings is: "what you can't automate, delegate."
Let's start with Active Directory. IT needs to create accounts, groups, computers and other objects in AD. The problem with AD and ADUC is that one size fits all. The same user who can create a group can also create a user or delete an OU. You have to shut that thing down.
With a delegated Active Directory self service system, you can have specific roles have access to create, modify or delete only certain AD objects. You can get granular enough that a user can even manage their direct reports or only certain attributes in their own profile. And, you can put workflow approvals on any changes made depending on who made the request (rights based approval routing).
What about users wanting to join groups? Same thing, create a form for users to request access to a group and send it through appropriate approvals. Depending on the group or user requesting access, maybe even auto-approve it.
Why even stop there? Most users are joining groups to have access to a file or folder. Use a self service page to request access to that resource and have empowerID map what group that user needs to be in.
But that's not the key here. The key is that when privileged access to a role or group is requested, don't just give it for an eternity. Temporary privileged access keeps that user from having permanent access to the role or resource. Put a time limit on the user's privileged access. Limit the exposure.
Other useful tools is to require multi-factor authentication (MFA) when the user attempts to use the access. Before you allow it, require them to authenticate with an SMS text to a known device or identity proofing with something that only they will know.
The idea is that privileged access is needed for many users to do their job. But give them this access only when they need it. If they have it permanently, ensure it is really them by utilizing MFA upon usage. Try to shut down any systems with all or nothing access and create an identity policy and system that gives users another more secure route to access.
And, lastly, track this stuff. If you know when and for how long a user had privileged access and what user or policy granted this access, you have the audit trail to prove that you are keeping your corporate valuables safe and secure.
Take a look at our whitepaper on replacing ADUC and/or request a demonstration on how to reduce privileged access in your environment.