Active Directory Dasbhoard - IIS App Pool Identity

Is there a “best practice” for Active Directory-related dashboards? Is anyone using a domain admin account for their app pool identity? I’m not sure how else you are getting domain controller-related information, unless you’re just loading basic information in AD that all domain users have access to. My team is looking to have more of an infrastructure-related dashboard to view the state of the environment and if there are any server issues. However, I wouldn’t think that running the app pool under a domain admin account would be best practice for security. Thoughts?

I run an AD dashboard for our techs and definitly don’t run it as a domain admin. I use a separate account that is running as a domain user. It is able to gather all the info I need from AD. When it comes to submitting changes, it all goes through a proxy system. Essentially, I have a SQL server that I write the requests to. When the requests come in, they trigger an event that then kicks off PowerShell to go and run this as a speical proxy account that has the additional perms needed.

There are other times that I do need to authenticate (such as to O365) and for that I use a password encrypted by a certificate to make that connection.

Hope that helps.