The migration stops being a security improvement and becomes a privilege-preservation exercise. If inherited admin rights, delegation paths, and nested groups move unchanged, the new forest can reproduce the same attack routes as the old one, only with different object names. The control failure is effective access review before cutover.
Why This Matters for Security Teams
When an active directory migration carries old privilege into the target forest, the move is not a clean identity reset. It is a replication of trust, delegation, and group nesting, often with the same effective access paths hidden behind new object names. That creates a false sense of progress: the forest changes, but the privilege model does not. Security teams should treat the cutover as an access-reduction event, not just an infrastructure project.
NHIMG research shows why this matters at scale: 97% of NHIs carry excessive privileges, and only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs — Key Challenges and Risks. The same failure pattern appears in directory migrations when administrators preserve legacy group memberships, delegated admin rights, and stale service account entitlements for compatibility. OWASP’s OWASP Non-Human Identity Top 10 similarly warns that excessive privilege and weak lifecycle control remain core identity risks. In practice, many security teams encounter lateral movement only after the target forest has already inherited the original attack paths.
How It Works in Practice
The practical problem is that AD migration tooling is designed to preserve functionality, not reduce privilege. If source groups, nested memberships, ACL inheritance, delegation links, and service account permissions are copied without a full entitlement review, the destination forest inherits the same effective access, including hidden paths through admin-equivalent groups and legacy OU delegation. A migration can also preserve authentication dependencies that were never intended to survive redesign.
Effective cutover planning should separate identity continuity from privilege continuity. Current guidance suggests mapping who or what truly needs access before the move, then reissuing only the minimum necessary permissions in the target forest. That means reviewing:
- admin-tier memberships and shadow administration paths
- nested group resolution, especially where RBAC assumptions were informal
- delegated control on OUs, GPOs, and service account objects
- non-interactive identities such as scheduled task accounts, app pools, and integration accounts
- stale or emergency rights that were granted years earlier and never removed
For the access review itself, use current-state evidence, not just exported group lists. Tools and processes should validate effective access, not merely declared membership. This is where directory hygiene intersects with broader NHI governance: service accounts, app identities, and automation accounts often behave like permanent privileged actors, and they deserve the same scrutiny described in the Ultimate Guide to NHIs — Key Challenges and Risks. NIST’s OWASP Non-Human Identity Top 10 and identity governance best practice both point to least privilege, credential scope reduction, and lifecycle control as the baseline. These controls tend to break down when migration teams prioritise application compatibility over entitlement redesign because the old privilege graph remains intact even if the domain name changes.
Common Variations and Edge Cases
Tighter privilege reduction during migration often increases project overhead, requiring organisations to balance cutover speed against operational disruption. That tradeoff is real, especially when legacy applications depend on broad directory access or undocumented service accounts.
There is no universal standard for this yet, but current guidance suggests treating certain cases as high risk:
- cross-forest trusts that preserve broad authentication reach
- applications that bind to static service account credentials
- nested group designs that conceal effective admin rights
- scripts and integrations that fail if permissions are narrowed too quickly
In these cases, a phased migration with time-bound exception handling is safer than a straight copy. Temporary rights should be explicitly approved, monitored, and removed after validation, not left behind as a convenience layer. The Cisco Active Directory credentials breach illustrates how directory-related credential exposure can turn identity sprawl into operational risk. The same lesson applies in forest migration: if the target environment inherits old privilege patterns, the organisation has changed directories but not reduced exposure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Migration often preserves stale NHI privilege and weak lifecycle control. |
| NIST CSF 2.0 | PR.AC-4 | Access permissions must be reviewed before inherited rights reach the target forest. |
| NIST AI RMF | The migration risk is governance failure in identity decisions and accountability. |
Revoke and reissue service-account access before cutover, then verify least privilege post-migration.
Related resources from NHI Mgmt Group
- How should security teams govern Active Directory service accounts?
- Who should own AD CS risk when it can affect both Active Directory and Entra?
- How should security teams approach GRC migration without carrying forward old risk?
- What breaks when Active Directory controls are managed only through quarterly reviews?
