The Orphaned Admin Account That Refused to Die 🕵️‍♀️

The Orphaned Admin Account That Refused to Die" 🕵️‍♀️

This case came to light during a routine review after a merger between two mid-sized enterprises — each operating with its own IAM framework, legacy HR platforms, and separate Active Directory structures. As part of the initial integration phase, a service account — svc_hrlegacyadmin — was created to support data exchange between the old HR system and a newly established enterprise data hub.

The intention was for it to be temporary. It was granted Domain Admin privileges to streamline troubleshooting during the test phase. But due to delays, shifting priorities, and incomplete documentation, the account quietly slipped through the cracks.

🔍 Where things went wrong:

• The account was created manually by a developer with direct permissions — outside of any automated provisioning flow or change ticket.

• Ownership was never assigned in HRIS or in Active Directory, so it didn’t appear in ownership reports or lifecycle certification processes.

• Metadata classification tagged it incorrectly as a non-privileged technical account, which excluded it from regular review cycles.

• It was not enrolled in MFA or rotated through a password vault.

• A legacy Windows 2012 R2 server was still calling the account through a scheduled task script— even after the developer left and the application had been largely deprecated.

📅 Roughly six months after the merger, a Red Team simulation triggered alerts for unusual lateral movement across tiered systems. While there was no actual compromise, further investigation uncovered the svc_hrlegacyadmin account still had elevated rights, was active in multiple systems, and was never certified post-merger.

It had continued operating for over 18 months beyond its intended life span. No one noticed because, in effect, no one was responsible for it.

💡 Takeaways from this incident:

• Non-Human Identities (NHIs) must be integrated into ILM with the same scrutiny as workforce identities — especially in cross-domain environments.

• Every identity should have a designated owner, assigned at creation, and reviewed during every access recertification cycle.

• Privileged accounts — even “temporary” ones — must go through PAM onboarding and be logged, vaulted, and monitored.

• During major transitions (like M&A or cloud migration), legacy assumptions can create major security blind spots if controls aren't enforced consistently.

🔐 Lesson Learned: Just because an account isn't visible in daily operations doesn’t mean it's harmless. The absence of ownership and governance allowed a high-risk identity to persist far too long — and it took a simulation, not real-time monitoring, to finally flag it.