While groups are the usual ways of giving access to resources in an environment, another less-known but equally important Active Directory (AD) feature, Primary Group, can also give access to resources.
Primary Group is a mechanism that Microsoft created to support legacy UNIX applications which store group memberships differently than Windows.
As such, being a member of a group or having a Primary Group set for this group works exactly in the same way in the AD.
Microsoft AD management software knows of this feature, but this is not the case for all external monitoring tools.
Therefore, using Primary Group is at least considered a bad practice, at worst a security risk to address.


Reset all user primaryGroupId attributes to a safe value.

See Also

Resolving a Primary Group ID

Well-known security identifiers in Windows operating systems

Indicator Details

Name: User Primary Group


Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0004, TA0003

Techniques: T1078

Attacker Known Tools

Gentil Kiwi: mimikatz - DCShadow