5 min read
Ask any security-conscious IT admin how many people are in the Domain Admins group, and the answer should be: “as few as humanly possible.” But in reality? Most organizations can’t provide a confident number, if they can provide a number at all.
Why? Because Domain Admin sprawl is easy to overlook and almost inevitable without rigorous auditing. Over time, what starts as a tightly controlled group often evolves into a more complex structure, characterized by nested groups, temporary access that remains unrevoked, and a lack of overall visibility.
And unfortunately, attackers know this.
The Hidden Power of Domain Admins
Among all other groups in Active Directory, Domain Admins is one of the most critical. Domain members are in charge of updating and configuring domain controllers, setting up user/group permissions, changing group policies, resetting passwords, and making new privileged accounts. Because anyone can get to it, the system is a magnet for those who want to add more privileges after breaking in.
Therefore, the group always requires close supervision. If you don’t know which of your users have domain access, you’re potentially operating with enormous levels of excessive permissions.
Why The Domain Group Gets Bigger Over Time
Nested groups are convenient, but they come with unseen issues
The reason Domain Admins often have more members than you would think is because of group nesting. In many cases, administration is made simpler by adding whole groups to the network instead of every user. The theory is perfect, but finding out who will get what when you own many things is not always easy.
For example, let’s say you add the Group A members to the Domain Admins group. However, Group B falls within Group A. Group C is located within Group B. All of the users in Group C are now able to perform domain-level actions, although that was not the group’s original purpose.
As reported in Lepide’s State of Active Directory Security report, a significant number of organizations have no formal process to routinely audit group memberships, particularly for nested groups. This blind spot can result in a long list of indirect admin accounts, many of which no one remembers are there.
Privilege creep makes everything worse
Despite group nesting, privilege creep would still be another challenge. This process goes unnoticed most of the time. For a specific project or problem, a user has to be granted temporary admin rights. Once you have authorized access to your organization, you don’t remove it when needed. When you add a few dozen unique cases over time, your Domain Admins group can easily grow beyond anyone’s awareness.
It also underlines that a big portion of users in different groups possess privileges that are greater than what they need to get their work done.
Why You’re Probably Not Catching It
Tools like Active Directory Users and Computers (ADUC) show only the list of direct group members. They ignore how members of different groups can be related. Without special help, there is a good chance that you may not see who has Domain Admin rights.
However, visibility is only one part of the issue; it’s truly about being in control. For many companies, this group is not regularly watched over by a single owner of responsibility. IT believes security is focused on it. Security figures that IT can thoroughly address it. Consequently, there is not enough close observation.
How to Audit and Take Back Control
Use PowerShell to find nested members
If you want a quick way to find all the real members of your Domain Admins group—nested or not, start with PowerShell
Get-ADGroupMember -Identity "Domain Admins" -Recursive
It makes your list flat, including every account you are directly or indirectly part of. Sorting out the mess is the first important step in the cleanup process.
Review all the terms included in the list. Identify old accounts, accounts made for services and people who do not have a need for elevated rights. MFA and logging are often neglected on non-human accounts, so you should pay more attention to them.
Why This Shouldn’t Be a One-Time Fix
Recognizing the problem only once is insufficient. You don’t usually see wild Domain Admins groups form overnight, but they take time to grow. A user may be added today, and the consequences won’t appear until the user’s account gets hacked three months later.
It is vital to keep tracking the organization’s progress at all times. Besides the names, pay attention to when, by whom, and for what reasons each person was given access to the group. If there is a long period between your audits, attackers may be able to work unnoticed for a longer period.
As the State of Active Directory Report notes, many data breaches are traced back to improper permission settings and inadequate monitoring of privileged accounts.
How Lepide Helps
A manual audit is a good start, but it’s not sustainable. That’s where Lepide Auditor for Active Directory steps in.
Lepide Auditor quickly identifies changes to group memberships when they happen. As soon as a new person is included in the Domain Admins group, you will receive an alert. It also lets you see how your privileged groups have changed throughout the years, which is helpful for security checks and compliance purposes.
You also obtain detailed overviews on group hierarchy, inactive accounts, unusual use of privileges, and other similar issues: all together. While it’s necessary to know who can access the system, it’s even more important to justify, supervise, and limit that access.
Need a practical roadmap for where to start? The State of Active Directory Security is packed with data, strategies, and real-world insights to help you lock down what matters most.
To see how Lepide Auditor for Active Directory works, schedule a demo with one of our engineers or download a free trial.
Group Policy Examples and Settings for Effective Administration
15 Most Common Types of Cyber Attack and How to Prevent Them
Why AD Account Keeps Getting Locked Out Frequently and How to Resolve It
