AD service accounts should only have the minimum permissions required to perform their tasks. Avoid assigning excessive privileges, such as making a service account a domain or enterprise administrator, as this can create significant security risks. Restricting permissions helps reduce the attack surface and prevents malicious actors from exploiting over-privileged accounts to move laterally within the network. Regularly audit and refine permissions to ensure accounts are properly restricted.
PDF Download: Secure Your Active Directory Service Accounts by Following the Principle of Least Privilege
References