I am using AWS System Managers to execute PowerShell Scripts to my EC2 Active Directory instance to disable users.
In the PowerShell script, I am assuming a service account to perform the operations for me as such:
$ServiceAccountUsername= "username"
$ServiceAccountPassword= "password" | ConvertTo-SecureString -AsPlainText -Force
$ServiceAccountCredential = New-Object System.Management.Automation.PSCredential($ServiceAccountUsername,$ServiceAccountPassword)
And then later on in the script:
$UserToDisable | Disable-ADAccount -Credential $ServiceAccountCredential
This works well when I am disabling Domain Users on the AD.
If I need to disable a Domain Admin, it fails with the following error
Set-ADAccountExpiration : Insufficient access rights to perform the operation
I am also not allowed to give my service account the Domain Admin rights as it breaches the security policy of my company.
Is there any way I could disable Domain Admins using this service account? Are there any permissions (except Domain Admin) that I could give to the service account to make this work?