Active Directory permissions accumulate quietly. People change roles, projects end, contractors leave, and their access lingers. An over-privileged account is a gift to an attacker, so a regular permissions audit is one of the highest-value security routines an IT team can run. Here is a practical approach.
Step 1: Inventory privileged groups
Start with the groups that matter most: Domain Admins, Enterprise Admins, Schema Admins, and Administrators. Use Get-ADGroupMember to list every member, including nested groups. The goal is a Domain Admins group with as few members as humanly possible — ideally a handful.
Step 2: Find stale and inactive accounts
Query for accounts that have not logged in for 90 days with Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00. Disable them rather than deleting immediately, and document the change. Stale accounts with valid credentials are a favourite target for lateral movement.
Step 3: Check for accounts with passwords that never expire
Run Get-ADUser -Filter {PasswordNeverExpires -eq $true} to surface accounts exempt from password rotation. Service accounts sometimes need this, but a human user with a non-expiring password is a red flag worth investigating.
Step 4: Review delegated permissions
Beyond group membership, check delegated control on organizational units. Improper delegation can let a help-desk account reset a CEO's password or modify group membership. Use the Effective Permissions tab in Active Directory Users and Computers to verify who can do what where.
Step 5: Apply least privilege and document
For every excess permission you find, remove it and record the change in a ticket. Establish a recurring quarterly review so the audit becomes routine rather than a fire drill after an incident. Consider implementing tiered administration to separate workstation, server, and domain admin duties.
A clean Active Directory is a resilient one. Treat the audit as ongoing hygiene, not a one-time clean-up, and you shrink the blast radius of any future compromise.
Korur Security Team
Korur Təhlükəsizlik Komandası