Least Privilege & Just Enough Admin
Least privilege means giving every account exactly the permissions it needs to do its job — no more, no less — and Just Enough Administration (JEA) enforces this at the PowerShell level.
In many organizations, IT staff are given Domain Admin rights "just in case" they need them. This means every one of those accounts is a golden ticket for attackers — compromise one, and you own the whole domain. Least privilege flips this: instead of "give everything, restrict later," you start with zero access and add only what is needed. A helpdesk person who resets passwords gets password-reset rights only, not Domain Admin. An application gets read access to its own OU, not the entire directory. Microsoft's Just Enough Administration (JEA) takes this further by creating restricted PowerShell endpoints that let admins run only pre-approved commands.
At a well-run hotel, your keycard opens your room and the pool, but not other guests' rooms, the kitchen, or the manager's office. The front desk staff can access check-in systems but not the financial safe. The manager's master key is locked in a vault and only used in emergencies. Least privilege in AD works the same way: every account gets a keycard that opens only the doors it absolutely needs.
Try It Yourself
Key Takeaways
- Start with zero access and add only necessary permissions — never the reverse.
- Remove unnecessary Domain Admin, Enterprise Admin, and Schema Admin memberships.
- Use Delegation of Control to assign granular permissions at the OU level.
- JEA provides restricted PowerShell endpoints where admins run only approved commands.
- Combine with JIT access (time-limited elevation) to eliminate standing admin rights.
Every unnecessary admin account is an attack surface. Least privilege shrinks the blast radius of any compromise: even if an attacker gets a credential, they get only limited access instead of domain-wide control.