3.13.3 — Separate User Functionality from System Management Functionality

Regular users should not be using the same accounts or interfaces they use for day-to-day work to manage servers, domain controllers, or security tools. Keeping these separate reduces the blast radius if a user account gets compromised.

Example 1: Create separate admin accounts in Active Directory (e.g., j.smith-admin) for IT staff and place them in a dedicated Admin OU with a stricter GPO. Use the Deny log on locally setting for these admin accounts on regular workstations, and use Deny log on through Remote Desktop Services for regular user accounts on servers.

Example 2: In M365, assign the Global Administrator role only to dedicated admin accounts in the Microsoft Entra admin center > Roles and administrators. These accounts should not have mailboxes or be used for daily email. Enable Privileged Identity Management (PIM) so admin roles are activated just-in-time rather than permanently assigned.