Common Active Directory Misconfigurations
Most AD compromises trace back to the same handful of misconfigurations. Learn the most common AD security mistakes and how to fix them.
Common Active Directory Misconfigurations
Despite decades of guidance, the same misconfigurations show up in almost every Active Directory environment. CISA, NSA, Microsoft, and major incident responders consistently report that a small set of issues account for most domain compromises.
This article catalogs the most common AD misconfigurations, explains why they matter, and outlines how to detect and remediate each.
1. Excessive Domain Admin Membership
Issue. Domain Admins (and Enterprise / Schema Admins) groups are often dozens of members, including service accounts, ex-employees, and "convenience" admins.
Why it matters. Each member is a Domain-Admin-equivalent credential. Compromise of any of them = domain compromise.
Fix. Reduce to single digits, separate admin and daily-use accounts, JIT elevation (PIM/PAM), monthly reviews.
2. Service Accounts in Privileged Groups
Issue. Application service accounts placed in Domain Admins for "compatibility."
Why it matters. Combined with Kerberoasting, weak service account passwords become Domain Admin.
Fix. Remove service accounts from privileged groups. Right-size privileges. Use gMSA where possible.
3. Weak / Old Service Account Passwords
Issue. Service accounts with 8–12 char passwords set years ago and never rotated.
Why it matters. Kerberoasting cracks them quickly.
Fix. Use gMSA (240-byte rotated passwords). For static accounts, enforce 25+ char random passwords.
4. Kerberos Pre-Auth Disabled
Issue. Accounts with DoesNotRequirePreAuth=True.
Why it matters. Enables AS-REP Roasting — offline crackable hashes for the asking.
Fix. Re-enable pre-auth on every account that doesn't strictly require it disabled (almost all of them).
5. Unconstrained Delegation Outside DCs
Issue. Servers configured for unconstrained delegation, often as legacy SSO leftovers.
Why it matters. Compromise of such a server captures TGTs of every connecting user — including admins.
Fix. Eliminate unconstrained delegation outside DCs. Migrate to constrained or RBCD.
6. RBCD Misconfigurations and MachineAccountQuota
Issue. Default ms-DS-MachineAccountQuota=10 lets any authenticated user create computer objects, enabling RBCD abuse.
Why it matters. Standard tester-discovered path to Domain Admin.
Fix. Set MachineAccountQuota to 0. Audit msDS-AllowedToActOnBehalfOfOtherIdentity on computers.
7. AD CS ESC1–ESC15 Misconfigurations
Issue. Certificate templates allow low-privilege users to request certs with arbitrary subject + Client Authentication EKU; CA flags allow SAN injection; web enrollment allows NTLM relay.
Why it matters. Direct path to Domain Admin via PKINIT impersonation.
Fix. Audit templates, disable EDITF_ATTRIBUTESUBJECTALTNAME2, harden web enrollment with HTTPS+EPA, enforce strong mapping.
8. Local Admin Password Reuse (No LAPS)
Issue. Same local administrator password across all workstations / servers.
Why it matters. Compromise of one machine yields a hash that works on every other.
Fix. Deploy LAPS / Windows LAPS. Unique random local admin password per machine.
9. Tier-Crossing Admin Logons
Issue. Domain Admins log into Tier 1/2 systems for support tasks. Their credentials cache.
Why it matters. Pass-the-Hash / Pass-the-Ticket from compromised Tier 1/2 systems lifts DA credentials.
Fix. Strict tiered admin model. PAWs for Tier 0. Help desk uses dedicated lower-privilege accounts.
10. NTLM and Legacy Protocols Allowed Forest-Wide
Issue. NTLMv1 enabled, NTLMv2 unrestricted, SMBv1 allowed, LLMNR/NBT-NS broadcasting.
Why it matters. Pass-the-Hash, NTLM relay, LLMNR poisoning, Responder attacks.
Fix. Disable NTLMv1 and SMBv1. Restrict NTLM where compatible. Disable LLMNR / NBT-NS. Enable SMB / LDAP signing and channel binding.
11. KRBTGT Not Rotated
Issue. KRBTGT password unchanged for years.
Why it matters. Anyone who ever held KRBTGT hash (DCSync, NTDS.dit theft, prior incident) can forge Golden Tickets indefinitely.
Fix. Rotate KRBTGT twice per year (twice consecutively).
12. Shadow Admins via ACL
Issue. Direct ACEs grant Reset Password, Write Members, WriteDACL, GenericAll, etc., on privileged objects to non-admin accounts.
Why it matters. Effective privilege without group membership; invisible to normal access reviews.
Fix. Enumerate dangerous ACEs across the forest. Remove or document each. Continuous detection.
13. AdminSDHolder Modifications
Issue. AdminSDHolder ACL contains attacker-granted ACEs that propagate to every protected account every hour.
Why it matters. Persistent backdoor that survives membership clean-up.
Fix. Baseline AdminSDHolder ACL. Alert on any change. Validate adminCount=1 accounts.
14. DnsAdmins / Backup Operators / Server Operators Misuse
Issue. Membership in these groups treated as low-risk; in reality, they're often path to DA.
Why it matters. DnsAdmins historically allowed code exec on DCs. Backup Operators can backup NTDS.dit. Server Operators can manage services on DCs.
Fix. Treat these groups as near-Tier 0. Minimize membership. Audit.
15. Stale and Disabled Accounts
Issue. Accounts not used in 90+ days, disabled accounts retained, stale computer objects.
Why it matters. Attack surface (re-enabled by attackers, password sprayed, etc.). adminCount=1 stale accounts especially risky.
Fix. Quarterly cleanup. Disable + move to "to be deleted" OU after 90 days idle. Delete after 180.
16. Misconfigured GPOs
Issue. GPOs editable by help desk groups, GPOs linked to OUs they shouldn't apply to, GPP cPassword leftovers.
Why it matters. GPO modification → enterprise-wide code execution.
Fix. Audit GPO ACLs and links. Eliminate GPP cPassword. LAPS instead.
17. Excessive Authenticated Users Permissions
Issue. Authenticated Users granted dangerous rights on sensitive objects (Write, ACL modification).
Why it matters. Any domain user can exploit.
Fix. Audit and remove. Restrict to specific necessary groups.
18. Insecure SYSVOL / NETLOGON
Issue. Scripts in SYSVOL/NETLOGON containing credentials or modifiable by non-admins.
Why it matters. Credential leak; arbitrary code execution at logon.
Fix. Audit content. Remove credentials. Enforce script signing.
19. Hybrid Sync (Entra Connect) Without Tier 0 Treatment
Issue. Entra Connect server treated as Tier 1. MSOL_ account with replication rights.
Why it matters. Compromise → DCSync + Global Admin in Entra ID.
Fix. Treat Entra Connect as Tier 0. Vault MSOL_ creds. Apply tiered admin to the sync server.
20. Lack of Forest Recovery Plan
Issue. No documented and tested plan for forest-level recovery.
Why it matters. Major compromise (Golden Ticket persistence, KRBTGT forgery) sometimes requires forest rebuild.
Fix. Document, test annually, retain offline backups.
How to Use This List
- Score yourself against each item (Implemented / Partial / Not Started).
- Pick the highest-impact "Not Started" items and remediate first.
- Track over time. A reasonable goal: 5 items per quarter.
How Forestall Helps
Forestall continuously assesses every misconfiguration listed above (and many more), ranks each by exploitability and impact, and surfaces attack paths that exploit them. Findings come with remediation guidance and ownership data so they can become tickets, not eternal backlog.
Conclusion
Most AD compromises don't require novel exploits — they require a few of these misconfigurations existing simultaneously. Fix them and most attackers are forced into noisier, slower, more detectable paths. The list looks long, but each item is well-defined, well-documented, and well-supported by tooling. Pick the worst three for your environment and start there.
Find your worst AD misconfigurations in days, not months.
Forestall continuously assesses AD posture and ranks misconfigurations by exploitability and impact.