4

I have some Powershell scripts which make some procedures with users in AD, like cmd-lets 'Set-ADAccount', 'Add-ADPrincipalGroupMembership' and stuff like that, basically make changes in AD, in a general context.

I tested and created scheduled tasks in one Domain Controller, which run those scripts on a regular basis, running as SYSTEM account. It worked.

Is there any problem running such scripts with SYSTEM Account?

Is there any difference running them with SYSTEM or another domain user with the right permissions?

esserafael
  • 339
  • 2
  • 9
  • 20

2 Answers2

2

Running as the SYSTEM account on any Windows box is essentially running at the highest privileges available. SYSTEM has the permissions to impersonate users, modify any files, and basically anything else you can think of.

When you run as SYSTEM on a domain controller, this extends to your Active Directory infrastructure as well.

"Best Practices" say to avoid running a task as SYSTEM unless necessary, due to the obscene amount of permissions that task gains. In addition, it is also recommended to avoid running scheduled tasks on a domain controller.

There are two main concerns. First, any inadvertent mistakes that you may make when creating your task/script could irrecoverably cripple your entire domain. Secondly, your entire domain's security rests upon the integrity of that one script file.

We can't tell you what to do with your environment, and best practices don't apply everywhere. You should do what you need to, but be mindful of the risks.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • Thanks for the answer. The second concern is enough to make me reconsider the decision. Even if the script is signed, someone *could* just rename the script and put another script with the same name the task is configured to run, I guess? That could blow up the entire domain, indeed. About the recommendation to avoid running tasks on dcs, is it about performance or about these security concerns? – esserafael May 14 '15 at 17:10
  • Couldnt edit the comment above, but if someone have the permission to modify the locations where the script is, can sign scripts and is trusted by the dc, he could blow the domain by himself. but still, better prevent than remediate. – esserafael May 14 '15 at 17:21
0

For what you want to achieve, you can run it with someone's context who is member of Account Operators.

strongline
  • 620
  • 3
  • 10