The trust model breaks because machine creation becomes an escalation path, not a harmless provisioning action. A low-privilege user can create or influence a computer object, then use delegation settings to impersonate a privileged identity. In managed AD, that can lead to service-ticket abuse and administrative access on target machines.
Why This Matters for Security Teams
Allowing non-privileged users to create machine accounts changes active directory from a controlled identity plane into a privilege-escalation surface. The issue is not the computer object itself, but the trust that AD places in it: once an attacker can create or influence a machine account, they can often shape delegation paths, request service tickets, and pivot toward privileged access. This is a classic NHI failure mode, not a simple misconfiguration.
NHI Mgmt Group has documented how broad NHI exposure multiplies risk, including the fact that 97% of NHIs carry excessive privileges in modern enterprises in the Ultimate Guide to NHIs — Key Challenges and Risks. That aligns with the broader warning in the OWASP Non-Human Identity Top 10: identities that are easy to create but hard to govern become an attacker’s easiest foothold.
Security teams often underestimate this because machine creation looks like routine onboarding, yet in managed AD it can become a pathway to impersonation, lateral movement, and delegated access abuse. In practice, many security teams encounter the abuse only after a privileged service ticket has already been forged or a target host has already been taken over.
How It Works in Practice
The abuse chain usually starts with a user who has permission to create computer objects. In some AD configurations, that user can then set attributes or place the object into a state that makes it useful for delegation abuse. From there, the attacker may leverage resource-based constrained delegation, Kerberos service ticket flows, or other trust relationships to impersonate a higher-privilege context on a target system.
The operational problem is that AD treats the machine account as a legitimate workload identity once it exists. That means the question is not simply “who made it?” but “what can this identity now ask the domain to do?” Current guidance suggests treating machine account creation as a privileged security control, not a convenience feature. The Top 10 NHI Issues and the NHI Lifecycle Management Guide both reinforce the same operational principle: if an identity can be created without strong governance, it must be assumed exploitable.
- Restrict machine account creation to tightly scoped administrative groups.
- Review delegation settings on computer objects and target services.
- Monitor for abnormal computer object creation, rename, and attribute changes.
- Enforce least privilege on domain join and provisioning workflows.
- Correlate Kerberos ticket activity with endpoint and directory telemetry.
NIST’s NIST Cybersecurity Framework 2.0 supports this approach through identity governance, access control, and continuous monitoring. These controls tend to break down when machine creation is delegated broadly in large, flat AD environments because the resulting trust relationships are too numerous to inspect manually.
Common Variations and Edge Cases
Tighter control over machine account creation often increases operational overhead, requiring organisations to balance faster provisioning against reduced attack surface. That tradeoff is real in environments with frequent endpoint imaging, hybrid joins, or third-party integrations, where teams may be tempted to grant broad creation rights for convenience.
There is no universal standard for exactly how many machine accounts a user should be allowed to create, but current guidance suggests the answer should be “as few as possible, and only with compensating controls.” In practice, the safest model is to separate join permissions, delegation rights, and administrative approval so that no single low-privilege user can both create a machine and shape its trust posture.
This risk is especially sharp in legacy AD forests, merger environments, and managed service setups where delegation was designed years before modern threat modeling. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs and the Cisco Active Directory credentials breach are useful reminders that unmanaged identity lifecycle and exposed directory trust routinely turn into real compromise paths.
Where teams rely on self-service joins, ephemeral lab systems, or outsourced provisioning, the control should shift from broad user rights to approval-based automation with full logging, short-lived access, and rapid cleanup. Without that, machine creation stops being an administrative convenience and becomes an escalation primitive.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Machine accounts are NHIs that must be governed across creation, access, and lifecycle. |
| NIST CSF 2.0 | PR.AC-4 | The issue is improper access management and trust expansion through identity creation. |
| NIST CSF 2.0 | DE.CM-1 | Detection of abnormal computer account creation is essential to catch abuse early. |
Treat machine account creation as a governed NHI lifecycle event and restrict who can mint new identities.
Related resources from NHI Mgmt Group
- Why do non-human identities create more risk than many human accounts?
- Why do non-human identities create more remediation risk than many human accounts?
- Why do machine and service accounts create persistence risk in Active Directory?
- Why do Active Directory service accounts create more risk than their labels suggest?
