Share via

Users have the ability to add themselves to the Domain Admins group, granting them Domain Admin privileges.

Hassan Waheed 10 Reputation points
2025-04-09T12:31:35.4666667+00:00

All users created in Active Directory are able to add themselves to the Domain Admin group, granting themselves Domain Admin privileges.

Users can log into the Domain Controller, access Active Directory, and add themselves to the Domain Admin group.

I tested this issue, removed unnecessary permissions from the Domain Admin group, but upon checking today, all the permissions have been restored.

Can you help me understand why this is happening and how to resolve it?

Windows Server Identity and access Active Directory
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chen Tran 0 Reputation points
    2025-05-06T08:32:51.5533333+00:00

    Hello,

    Thank you for posting the question on Microsoft Windows forum!

    Based on your issue description of standard users being allowed to elevate their privileges improperly. There might be some possible causes for that as following:

    1. Incorrect Group Permissions – If the “Authenticated Users” or “Everyone” group has been mistakenly granted permissions to modify the Domain Admins group, any user can add themselves to it.
    2. Faulty Group Policy (GPO) Settings – A misconfigured GPO could be granting users unintended administrative privileges.
    3. Privileged Accounts Delegation Misconfiguration – Delegation settings may allow users to modify security groups, including Domain Admins.
    4. Unrestricted Admin Rights on the Domain Controller – If users are granted local admin rights on Domain Controllers, they may have the ability to modify AD settings directly.
    5. Weak or Incorrect Access Control List (ACL) Permissions – The ACL settings for Domain Admins may be improperly configured to allow unintended modifications.
    6. Compromised Accounts – If an attacker has gained access to an account with elevated privileges, they can change permissions to grant themselves admin rights.

    Steps to mitigate the issue

    1. Audit Group Memberships – Run Get-ADGroupMember -Identity "Domain Admins" to check for unauthorized members. User's image

    Review ACL Permissions on Domain Admins – Use tools like dsacls or Active Directory Users and Computers (ADUC) to review and restrict permissions.

    1. Check Group Policy Settings – running the command gpresult /h report.html to generate a GPO report for verifying any unintended policies affecting domain security.
    2. Review Delegated Permissions – Check delegated control settings to ensure no unexpected privilege assignments.

    Preventative Measures:

    1. Restrict Admin Rights – Ensure only specific accounts have permission to modify privileged groups.
    2. Implement Least Privilege Access – Remove unnecessary permissions and enforce role-based access control (RBAC).
    3. Use a Privileged Access Management (PAM) Solution – Consider implementing Microsoft Privileged Identity Management (PIM) to limit who can modify security groups.
    4. Regular Security Reviews – Conduct periodic audits to check for anomalies in AD permissions.

    Hope the above steps are informative!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.