If you’re a network admin, think of the power and access your network admin account has.
It used to be fairly common for a Network Administrator or IT Technician to set their user account up with full Domain Admin rights over their Active Directory domain. They would then use this account for their day-to-day emails and for basic fault fixing on countless computers each week.
Think about that for a moment; access to all files, all personal details, DNS, DHCP, the wireless networks… everything. They might have a hybrid Microsoft 365 environment too, with the same password used to access SharePoint, OneDrive, Exchange.
What if that account became compromised? It really doesn’t bear thinking about.
This practice has thankfully died out over the last decade or so, but we still come across it.
If you’re an admin and you’ve got your network and servers locked down as tightly as possible, you’ve got your firewall in place and you’ve got your user’s access restricted perfectly, why jeopardise it all by giving yourself full admin rights and becoming an ‘Insider Threat‘ yourself?
All it takes is for someone to get hold of your password as you log in to a computer on-site or whilst you’re using public wifi somewhere. You might even come across an unscrupulous employee/student/visitor who decides to set up a keylogger and you’ve lost everything.
You are the admin, you have the power to ensure you don’t become a threat to your own network. It’s only laziness or lack of understanding which would allow it to happen.
We’ve worked in schools before where students INSIDE your network are a far greater threat than anyone on the outside. We’ve seen employees have their passwords stolen and ‘curiosity’ leading IT-savvy students to try their luck.
In our opinion it is far safer if you keep a domain admin account safely locked away somewhere, just in case you ever fall off the face of the earth. Your own account should only have the access it needs to get your day-job done.
You may end up using one or two admin accounts with fewer privileges, with access to various parts of the network, but none of them would have full access to everything. If one of them becomes compromised, at least you’ve only put a small part of the network at risk.
Think of it like a series of bubbles, one containing users’ files, one containing emails, one containing your servers, etc… if a bubble is going to get popped, you’re better off losing one of many smaller bubbles than one great big one containing everything.
You should also delegate your rights over the computers and user accounts you need to be able to manage within Active Directory. Do you only need to manager certain users and groups? Do you only create computer accounts in a particular OU?