Why are enterprises still vulnerable despite decades of experience with Active Directory? The answer to this is because many organizations are still grappling with the basics. According to the State of Active Directory Security in 2025 report from Lepide, companies continue to struggle with properly securing Active Directory (AD). Admins face ongoing challenges with stale accounts, misconfigurations, privilege creep, and inadequate monitoring gaps that leave organizations dangerously exposed to internal and external threats.
Is Active Directory Still a Major Security Risk in 2025?
The 2025 State of Active Directory Security Report notes that attempts are still underway to fortify AD systems against attacks, but there is much more work to do.
Below are ten important findings that indicate how “at risk” your Active Directory may be:
- Permission Sprawl: Unapproved or inadequately controlled changes in permissions. Frequently disregarding changes in group memberships or permissions, sensitive data is often given with little oversight in businesses. Since they are frequently unreported and unobtrusive, these sorts of actions may cause unauthorized access and information leaks. Companies should apply least privilege, reduce nested groups, and discourage delegation without a justifiable cause to halt more privilege escalation and horizontal movement. They should also build a role-based system restricting access
- Inactive User and Computer Accounts: Employees’ accounts often remain active after they depart, therefore providing hackers access via techniques like brute force assaults or credential stuffing. If the accounts of former employees or contractors are not adequately closed, hackers could steal sensitive data or gain extra access. Consequently, automation of the deactivation process becomes essential to counter these threats. Businesses can use Active Directory cleanup tools to set policies to automatically suspend dormant accounts after 30 or 60 days. Quarterly or yearly automatic account audits might also assist in fast spotting and deactivation of any inactive accounts.
- Off Hours Activities: Access of data outside of normal business hours by employees or contractors, whether deliberately or by accident, presents an insider threat risk. During these times, privileged accounts and sensitive information are especially vulnerable. Serious hazards might arise even if access is allowed outside of normal hours. Businesses have to monitor user behavior in real-time especially outside of regular business hours. SIEM systems may sort log data and detect strange login patterns in order to detect anomalies such unproven devices, unusual locations, or major system changes. Further risk lowering can come from time-based access controls that restrict access to vulnerable systems outside of peak hours.
- Ineffective Password Policies: Being ineffective with password policies might really put you at danger. Poor password habits can cause major issues if multi-factor authentication (MFA) is not in place and passwords are not updated frequently enough. One increasing worry are credential stuffing attacks, where hackers take stolen passwords particularly given that many people tend to reuse passwords over many sites. Though it might cause user tiredness if the standards are too rigid or frequent, regular password changes can improve security. At least 12 characters long and not on any commonly used password lists, strong passwords should be complicated. Maintaining security depends on using MFA for sensitive systems and 60 to 90 days regular updates. Additionally essential is continuous training for employees on safe password habits and security hazards.
- Failed Logons Issues: Not tracking unsuccessful login attempts could cause you to believe you are more secure than you actually are. Attacks using brute force and credential stuffing might take place without any restrictions on unsuccessful tries. That is where real-time monitoring and alerts help IT teams to detect these hazards early. To prevent unwanted access, businesses should most certainly deploy multi-factor authentication (MFA) and implement account lockout policies following a predetermined number of failed attempts. SIEM solutions can also gather, study, and track failed login attempts to improve security.
- User Accounts: An attacker may find a way in more easily the more user accounts you have in Active Directory. While security teams mostly concentrate their efforts on privileged accounts, even normal accounts can be a gateway for first access, lateral movement, and privilege escalation. As user numbers rise, the dangers connected with setup mistakes like forgotten group memberships or poorly run service accounts grow. Automating user provisioning and deprovisioning helps lower these risks by guaranteeing a consistent approach to account setup and access management. Furthermore, reducing human error and accelerating onboarding and offboarding processes are thereby reduced. Regular audits and cleaning up inactive users and groups further improve AD security.
- Account Lockouts: Another important thing to consider is that account lockouts are not the best security measure. Though they can be useful against brute force assaults, they might also disturb real users. Ignoring dangers like social engineering, inside threats, and phishing, they might foster a false sense of security. Companies should implement suitable lockout policies and educate consumers on safe password behaviors such as avoiding common words and routinely changing their passwords in order to address this danger and lower the frequency of failed login attempts.
- Too Many Admin or Privileged Users: Administrators might not always understand how permissions descend from parent to child goods or how nested groups operate. This ignorance could cause one to unintentionally grant excessively wide permissions, therefore establishing hidden access routes. Access might wind up too broad if they do not grasp the mechanism of inheritance. Controlling permissions gets more difficult when inheritance is disabled or set up improperly, which causes erratic security and uninvited access. Regular inspections and close observation of group nesting are essential to keep a robust and dependable security posture. The proliferation of admin rights has been identified as a catalyst for business disruptions. Our study highlighted that such practices have cost organizations over £4 million in the last two years due to incidents like ransomware attacks exploiting admin accounts.
- Unawareness of Permission Inheritance: Sometimes, administrators might not fully grasp how permissions flow from parent to child items or how nested groups function. This lack of understanding can lead to accidentally granting overly broad permissions, creating hidden access routes. If they don’t get how inheritance works, access might end up being too generous. Managing permissions becomes trickier when inheritance is turned off or set up incorrectly, leading to inconsistent security and unwanted access. To maintain a strong and reliable security posture, it’s vital to conduct regular audits and keep a close eye on group nesting. According to the Lepide’s state of Active Directory Security Report, improper permission settings or unauthorized permission changes were responsible for 25% of data breaches.
- Passwords Set to Never Expire: Organizations can find challenges of password sprawl when passwords are set to never expire, especially in bigger settings when obsolete credentials might fall through the cracks. Though doing so can, if a breach occurs, raise the risk of insider threats and possibly result in legal or financial concerns. Regularly rotating passwords also shortens the window for exploiting compromised credentials by establishing policies such as password expiration every 30 to 90 days. Additionally, multi-factor authentication (MFA) adds an additional layer of security even when non-expiring passwords are often used for service accounts with challenging dependencies. Thus, although passwords could not expire, enforcing demanding password requirements and employing MFA on important accounts will significantly improve corporate security.
Dive into the State of Active Directory Security 2025 report for in-depth statistics and insights.
What Can Organizations do to Strengthen their AD Security Posture?
The report proposes a multi-faceted approach that involves the use of multi–factor authentication (MFA), the implementation of automated hygiene measures, the installation of real-time threat detection systems and the completion of extensive audits. By actively working to fix these problems, companies can significantly reduce their AD attack surface and enhance their general security posture.
Active Directory is such a high-value target for attackers, so why do many organizations still struggle to secure it?
Despite their importance, many businesses still ignore fundamental security measures like monitoring privileged accounts, restricting admin permissions, and imposing strict password controls.
According to the report, a sizable proportion of IT and security experts are overly assured in their AD security posture even in the face of small setup mistakes and cleanliness problems.
How Does Lepide Help?
Lepide Auditor for Active Directory provides detailed audit trails with the critical “who, what, where, and when” audit information for all Active Directory changes and events. Lepide provides detailed state-in-time Active Directory security audit reporting so admins can fully understand what their AD looks like. Lepide also tracks user behavior, including logon/logoff behavior and account lockouts.
Want to see the state of your Active Directory? Schedule a demo with one of our engineers or download the free trial.