Everything works when the service account is a Domain Admin. Nothing works when you remove it. Here is the complete map of what sits in between — learned the hard way.
If you have ever tried to run a monitoring tool against Active Directory domain controllers with a least-privilege service account, you have probably lived this exact sequence: you create a dedicated account, you grant it what every blog post says to grant (a couple of Builtin groups, some WMI namespace rights), and you get Access denied. You add the account to Domain Admins "just to test" — everything works instantly. You remove it — everything breaks again.
At that point, most people leave the account in an admin group and move on. That is how monitoring service accounts become the most attractive lateral-movement targets in the forest: credentials that sit in a scheduled task, touch every DC daily, and hold domain-wide admin rights.
I refused to leave it there while building ADEHM, an agentless AD health m
Discussion
Start the conversation
Your voice can be the first to spark an engaging conversation.