Domain Controllers Managed by Illegitimate Users



Despite the number of Active Directory assets, the Domain Controllers are the most sensitive as they store all of these assets data (including authentication secrets like the users' passwords).
Only legitimate administrative accounts should be able to manage them.


The Domain Controllers (DCs) require strict access rights. Allow only highly privileged user accounts to manage DC objects or link new group policies.

See Also

Securing Active Directory Administrative Groups and Accounts

Technical description of an nTDSDSA Object

Indicator Details

Name: Domain Controllers Managed by Illegitimate Users


Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0004, TA0003

Techniques: T1078