I know for best practices we should always give an account least privilege and use that account to run jobs etc. However our windows jobs often require elevated privileges in order to perform the required task.
How do you deal with jobs that must be run with elevated privileges using admin account? Will running the job with local admin be more secure than run with a domain admin account?
Are you sure that the jobs must be run with administrator privileges. Do they really use every single ability delegated by that permission? Using a domain administrator account obviously allows the script administrator access or all of the domain computers (and servers). Also the ability to adjust domain membership and group policy. They might add another account to the domain administrator group for example. Local administrator is a lower privilege and is much safer.
How do I secure the jobs that are run using admin account.
Prevent users from modifying them.
On a server computer with restricted access this is relatively feasible. If the jobs take non-trusted user input, they must be programmed securely to prevent remote code execution style vulnerabilities (not a small topic).
On desktop machines where the user can boot a thumbdrive or even take the hard drive out (evil maid attack) the protection of these scripts is less certain.
