What is a Domain Admin?
Domain Admin is the highest-privilege standard group in an Active Directory domain. Learn what it can do, why it's the top target for attackers, and how to manage it safely.
What is a Domain Admin?
Definition
A Domain Admin is a member of the Domain Admins group in an Active Directory domain. The group has near-total control over the domain: managing users, groups, computers, GPOs, ACLs, and most domain resources.
Domain Admin is the single highest-value identity target in most enterprises. Compromising one means compromising the domain — and in many cases, the connected cloud tenant as well.
In simple terms:
Domain Admins are the people who can do almost anything in the domain — and the accounts attackers will spend a year trying to reach.
What Domain Admins Can Do
- Add, modify, delete any user, group, or computer in the domain.
- Modify GPOs and apply them anywhere in the domain.
- Modify ACLs across the domain.
- Reset passwords for any account (except a few protected ones).
- Log in as administrator on every domain-joined system by default.
- DCSync from any DC.
- Create or modify trusts.
- Effectively control the domain.
In a single-domain forest, Domain Admin is essentially equivalent to Enterprise Admin in practical reach.
Why Domain Admin Is the Top Target
- Single-account compromise → enterprise compromise.
- Domain Admin credentials are often cached on Tier 1 systems (huge mistake) — easy lateral movement.
- Ransomware operators target Domain Admin within hours of initial access.
- In hybrid environments, Domain Admin frequently leads to Global Admin in Entra ID via Entra Connect.
CISA, Microsoft, and Mandiant consistently identify "credentials of accounts in privileged groups" as the top single risk in enterprise networks.
Common Paths to Domain Admin
- Kerberoasting weak service account in Domain Admins.
- Pass-the-Hash of Domain Admin from cached credentials on Tier 1 system.
- Unconstrained delegation capturing TGTs.
- AD CS ESC1–ESC15 issuing certificates as Domain Admin.
- Shadow admin ACL abuse (Reset Password on a DA's user object, etc.).
- GPO modification that pushes code to DCs.
- Help desk social engineering plus weak verification.
- Misconfigured RBCD allowing impersonation of DAs.
Real-World Examples
1. Cached Domain Admin on a Jump Server
A Domain Admin RDPs to a jump server to do a one-off task. Their hash and TGT remain in memory. The jump server is later compromised. Pass-the-Ticket leads to Tier 0.
2. Domain Admin as Service Account
A Domain Admin account is configured to run a printer service across the fleet. Its plaintext password sits in the SCM database of every print server. Compromise of any print server → Domain Admin.
3. Help Desk Reset Path
A help desk group has been delegated Reset Password on the OU containing Domain Admin user objects (a misconfiguration introduced years ago). Help desk compromise → Domain Admin.
4. AD CS ESC1 → DA
A misconfigured certificate template lets low-privilege users request certificates as anyone. Attackers issue a certificate as a Domain Admin and authenticate.
5. Hybrid Cascade
Domain Admin compromise leads to Entra Connect compromise, then Global Admin in Entra ID, then full Microsoft 365 / Azure compromise.
Best Practices for Domain Admin
Membership
- Keep Domain Admins tiny — single digits in most enterprises.
- Review membership monthly.
- Empty by default, populate only for break-glass or major changes.
- Use JIT elevation (PIM, PAM) instead of standing membership.
Account Hygiene
- Dedicated admin accounts — separate from daily-use accounts.
- Strong, unique passwords (or passkey-like authentication via smart cards).
- MFA enforced on every Domain Admin account.
- No email or browsing from Domain Admin accounts.
- Place in Protected Users group when feasible.
- Mark accounts "Account is sensitive and cannot be delegated."
Where They Log In
- Use PAWs (Privileged Access Workstations). Domain Admins log in only from PAWs to Tier 0 systems.
- Tiered administration — Domain Admin never used on Tier 1/2.
- Network segmentation to enforce admin paths.
Monitoring
- Alert on every membership change to Domain / Enterprise / Schema Admins.
- Alert on every Domain Admin logon location (jump host, DC).
- Detect Pass-the-Hash / Pass-the-Ticket for DA accounts.
- Alert on Domain Admin sessions outside expected change windows.
Recovery
- Break-glass account with hardware MFA, monitored on every use.
- Documented procedures for emergency elevation.
- Regular tabletop exercises for DA compromise.
Other Forest-Critical Groups to Manage Like DA
- Enterprise Admins (forest-wide)
- Schema Admins (forest-wide)
- Account Operators, Server Operators, Backup Operators — often overlooked but powerful.
- DnsAdmins — historically allowed code execution on DCs.
- Group Policy Creator Owners.
Domain Admin Checklist
- Domain Admins membership in single digits?
- Standing membership eliminated where possible (JIT)?
- All DA accounts dedicated (no daily-use)?
- MFA enforced on all DA accounts?
- DA accounts in Protected Users / marked not-delegatable?
- PAWs used for all DA work?
- Tiered administration enforced (no DA on Tier 1/2)?
- Membership change alerts in place?
- DA logon anomalies monitored?
- Break-glass procedure documented and tested?
- Effective DA paths (delegation, AD CS, ACLs) mapped?
How Forestall Helps
Forestall maps every direct, nested, and effective path to Domain Admin (and every other Tier 0 group) across your forest. It surfaces:
- Identities with hidden DA-equivalent reach (shadow admins).
- Tier 1/2 systems where DA credentials have been used.
- Configurations that enable escalation to DA (delegation, AD CS, GPO, ACL).
- Choke points to remediate first to shrink DA reach broadly.
Frequently Asked Questions
How many Domain Admins is too many?
For most enterprises, more than ~5 standing members is too many. Many mature organizations run with 0 standing and use JIT.
Is Domain Admin the same as Enterprise Admin?
No — Enterprise Admin is forest-wide; Domain Admin is per-domain. In single-domain forests, the practical reach overlaps significantly.
Why is Domain Admin worse than Global Admin (Entra)?
Different blast radii. In hybrid environments they often connect — but in different directions for different attackers.
Should Domain Admin accounts be used for everyday tasks?
Never. They should be elevated only for specific Tier 0 tasks, ideally JIT.
What's the single most impactful DA control?
Tiered administration — DA credentials must never touch Tier 1/2 systems. Most domain compromises trace to violations of this rule.
Conclusion
Domain Admin is the most consequential identity in most enterprise environments — and the most attacked. Tiny membership, dedicated accounts, JIT elevation, PAWs, tiered administration, hardened authentication, and aggressive monitoring are the controls that keep DA from becoming a one-step path from a phishing click to a domain-wide outage. Combined with continuous attack-path analysis to find shadow admins and effective DA paths, these controls turn Domain Admin from a top vulnerability into a manageable, auditable capability.
Know exactly who is — and who can become — Domain Admin.
Forestall surfaces every direct, nested, and effective path to Domain Admin across your forest.