You should strongly consider enabling the Account Expires option when creating administrator accounts. There are a couple of reasons for this, but the primary one is to make sure that sensitive accounts don’t persist when no one needs them. If someone is still using an account that has expired or is about to, it’s fairly straightforward to modify the Account Expires option.
In large and medium environments, there are often derelict administrator accounts still present in Active Directory. A derelict account is one that’s still active even though no one is actually using it. Derelict administrator accounts are dangerous both because they are privileged accounts and because they indicate that no one is paying close attention to what happens with privileged accounts. It’s sort of like leaving master keys lying about. Any privileged account that isn’t being actively used should be at a minimum disabled and at best deleted.
The option to configure account expiration available on the Account tab as shown in the picture. When instituting a policy where privileged accounts expire, ensure that you do the following:
- Configure a calendar warning to notify you when an account you use is about to expire so that you don’t learn about it at the worst possible time
- Write a script to periodically check for expired accounts. Disable or delete these accounts.
- Ensure that privileged accounts expire on different weeks. You don’t want everyone’s privileged accounts expiring on the same day – unless you enjoy those sorts of shenanigans.
Most organizations have some sort of policy related to privileged accounts. In reality what the policy says and what actually happens are two different things. Configuring expiration won’t stop privileged accounts from being compromised. It will, however, make the process slightly more difficult and security isn’t about making attacks impossible, just making them substantially less likely to succeed.