What are Active Directory Audits?

What an Active Directory Audit Examines

User and Account Hygiene

The user account component reviews the AD user inventory for stale accounts (inactive >90 days), accounts with non-expiring passwords, accounts excluded from regular password policy enforcement, service accounts mixed with user accounts, and accounts with weak or pre-set passwords. Stale accounts are a particular concern — they represent valid credentials that no one is monitoring, and attackers who obtain stale account access can operate without triggering the behavioral alerts that active-user activity would generate.

Privileged Group Membership

The privileged group review examines membership of Domain Admins, Enterprise Admins, Schema Admins, Account Operators, Backup Operators, Server Operators, Print Operators, and the various other built-in privileged groups. Common findings include excessive Domain Admin membership (security best practice is fewer than five), nested group membership that produces unintended privilege inheritance, service accounts inappropriately added to privileged groups, and human accounts in groups that should contain only break-glass administrators. Each finding represents privilege that attackers will exploit if any of the affected accounts is compromised.

Service Account Posture

The service account review addresses kerberoasting exposure (service accounts with weak passwords are vulnerable to offline cracking after Kerberos ticket capture), password rotation practices (service accounts whose passwords have not rotated in years are particularly exposed), service principal name (SPN) configuration, and the privilege scope of each service account. Service accounts are a primary attack vector in modern ransomware campaigns because they typically have elevated privileges and rarely have MFA protection.

GPO and Domain Controller Configuration

The configuration review examines Group Policy Object structure (audit policies, password policies, account lockout, security settings), domain controller security configuration (LDAP signing, SMB hardening, secure channel signing), replication topology and trust relationships, and authentication protocol versions (NTLMv1 deprecation, Kerberos encryption type restrictions). Configuration drift in any of these areas creates attack surface that mature audits surface and prioritize.

Common Findings That Translate Directly to Ransomware Risk

Excessive Domain Admin Membership

The most consistent AD audit finding is excessive Domain Admin membership. Organizations frequently accumulate Domain Admin accounts over years of operational decisions — troubleshooting that 'required' temporary elevation that became permanent, third-party software installations that requested admin access, and staff transitions that did not include privilege cleanup. The result is Domain Admin counts that frequently exceed twenty or thirty when fewer than five is appropriate. Each additional Domain Admin is an additional path to full environment compromise.

Kerberoastable Service Accounts

Service accounts with weak passwords and SPN configuration produce kerberoasting exposure — attackers can request Kerberos tickets for the service, capture them, and crack the password offline at their leisure. Modern ransomware campaigns routinely include kerberoasting as a privilege escalation step. The audit finding is straightforward (enumerate service accounts with SPNs and weak password configurations); the remediation requires service account password rotation that is operationally invasive.

Unconstrained Delegation

Servers configured with unconstrained delegation are positioned such that any authentication to that server provides the server with the user's Kerberos TGT — which the server can then use to impersonate the user against any service in the domain. Attackers who compromise an unconstrained-delegation server effectively compromise every user who has authenticated to that server, including domain administrators. The finding is common in legacy environments where modern alternatives (constrained delegation, resource-based constrained delegation) were not adopted.

AdminSDHolder ACL Drift

The AdminSDHolder container in Active Directory contains the ACL template that propagates to privileged accounts via the SDProp process. Modifications to AdminSDHolder permissions — either malicious or accidental — propagate to every privileged account in the domain. The audit finding examines AdminSDHolder ACLs for unexpected entries that would grant inappropriate access to privileged accounts.

Stale and Inactive Accounts

Accounts that have not been used in months or years remain valid credentials available to whoever obtains them. Common patterns include departed employees whose accounts were never disabled, contractor accounts that outlived the engagement, test accounts created during system migrations, and service accounts for systems that have been decommissioned. The audit finding is mechanical (enumerate accounts by last login); the remediation requires governance work to validate which accounts are truly inactive.

Conducting AD Audits in Practice

Tools and Methodologies

Several tools support AD audit work at different levels of depth. PingCastle produces rapid health assessments suitable for periodic checks; BloodHound maps attack paths through AD by ingesting LDAP and SMB data; native PowerShell modules (ActiveDirectory, GroupPolicy) support custom audit queries; commercial tools (Tenable AD, Semperis, Quest GPO Reporter) provide ongoing monitoring capabilities. Most mature programs combine multiple tools: BloodHound for periodic deep analysis, native tooling for ongoing operational audits, and commercial monitoring for continuous detection of configuration drift.

Audit Cadence

For most organizations, annual deep AD audit work is the minimum cadence. Quarterly lightweight audits (privileged group membership, stale account review) complement the annual deep work for organizations with mature security programs. Continuous monitoring through commercial tooling is appropriate for environments where AD compromise would produce material business impact — essentially any organization with regulated data or meaningful operational dependence on AD.

Internal vs. External Execution

Internal AD audit work has the advantage of environment context but typically lacks the breadth of pattern recognition that comes from auditing many environments. External AD audit work brings comparison benchmarks and pattern recognition but requires temporary access to sensitive AD data. Most mature programs combine the two: external audit on annual or biennial cadence with internal continuous monitoring between external engagements.

The Connection to Zero Trust

AD-centric environments are structurally difficult to align with zero trust principles because AD assumes implicit trust within the domain. Modern security architecture frequently includes AD audit work as part of a longer-term plan to reduce AD's blast radius — segmenting the AD environment, reducing service account privilege, replacing AD-dependent authentication with modern identity providers (Microsoft Entra, Okta) where possible, and limiting the consequences of AD compromise even when AD itself cannot be fully replaced.

Related Reading

• What is a Golden Ticket Attack? — the canonical AD compromise technique audits help prevent
• What is Zero Trust Security? — the architectural model that reduces AD dependence
• What is Privileged Access Management? — the discipline that addresses privilege findings
• What is MFA? — the control that compensates for many AD audit findings
• What is Cyber Due Diligence? — the M&A diligence that frequently includes AD audit work

Real-World Example: The Kerberoast That Encrypted Production

A Cloudskope incident response engagement at a mid-market manufacturer illustrates how AD audit findings translate directly to ransomware exposure. The manufacturer had not conducted formal AD audit work in over five years. The environment had grown organically through several acquisitions, with each acquired company's IT team having added service accounts, privileged groups, and trust relationships without comprehensive review.

The ransomware attack began with a phishing-initiated credential compromise of a finance department user. The compromised credentials provided only standard-user-level access — enough for the attacker to authenticate to the AD environment but not enough for material damage. The attacker spent approximately 72 hours conducting AD reconnaissance from the foothold: enumerating accounts, identifying service accounts with SPNs, and requesting Kerberos tickets for the most promising kerberoasting targets.

One service account — used by a legacy backup application installed during a 2017 acquisition integration — had a weak password ('CompanyName2017') and Domain Admin membership inherited from the original acquisition's IT configuration. The attacker cracked the password offline within four hours of capturing the Kerberos ticket and authenticated to the domain as Domain Admin. From that point the ransomware deployment was straightforward: disable security tools, deploy encryption across all reachable systems, exfiltrate sensitive data for extortion leverage.

The forensic reconstruction surfaced findings an AD audit would have surfaced years earlier: the kerberoastable service account with weak password, the inappropriate Domain Admin membership, the inherited privilege from the unintegrated acquisition. The manufacturer's recovery cost exceeded $11M including ransomware payment, forensic investigation, business interruption, and post-incident security investment. The cost of the AD audit that would have prevented the attack was approximately $25,000.

The structural lesson: AD audit findings are not theoretical security recommendations. They are specific conditions that adversaries actively exploit in current ransomware campaigns. Organizations that defer AD audit work are not deferring security improvement — they are accumulating attack surface that compounds with every operational decision that grows AD's privilege footprint.

Frequently Asked Questions

How often should we conduct AD audits?
Annual deep AD audit work is the minimum cadence for most organizations. Quarterly lightweight audits (privileged group membership, stale account review) complement the annual deep work for mature programs. Continuous monitoring through commercial tooling is appropriate for environments where AD compromise would produce material business impact — essentially any organization with regulated data or meaningful operational dependence on AD.

What's the difference between an AD audit and an AD assessment?
Used interchangeably in most practice. Some practitioners distinguish 'audit' as compliance-oriented (verifying configuration against documented baseline) and 'assessment' as security-oriented (identifying attack paths and exploitable weaknesses). The distinction is not universal; the methodology overlaps substantially regardless of terminology.

Can we run AD audits internally or do we need outside help?
Both approaches have value. Internal AD audit work has the advantage of environment context but typically lacks the breadth of pattern recognition that comes from auditing many environments. External AD audit work brings comparison benchmarks but requires temporary access to sensitive data. Most mature programs combine the two: external audit on annual cadence with internal continuous monitoring between engagements.

What's the relationship between AD audits and zero trust?
AD-centric environments are structurally difficult to align with zero trust principles because AD assumes implicit trust within the domain. AD audit work frequently surfaces specific findings (excessive privilege, service account exposure, lateral movement paths) that zero trust architecture is designed to eliminate. AD audits and zero trust transition planning are complementary disciplines that produce mutually reinforcing security improvement.

Should AD audits be conducted during M&A diligence?
Yes, for any target whose business operations depend materially on AD. The audit findings affect deal economics (remediation cost estimates), R&W terms (security representations), and post-close integration planning (the security baseline that integration must achieve). AD audit work fits within broader cyber due diligence engagement and produces deal-relevant findings on a timeline aligned with diligence cycles.