Active Directory migration can recreate old attack paths

At a glance

What this is: This is an independent analysis of why AD migration and consolidation can reproduce legacy privilege, access, and forensic risks instead of eliminating them.

Why it matters: It matters because identity teams often treat migration as an infrastructure project, when it is actually a governance event that can expand risk across NHI, autonomous, and human identity dependencies.

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read Semperis's analysis of the AD migration risks that preserve old attack paths

Context

Active Directory migration is not just directory re-platforming. It is a governance change that can either remove inherited privilege or preserve it under a newer name. The primary identity security risk is that delegation, group nesting, trust relationships, service accounts, and SID-History can survive the move and keep the same attack paths alive.

For IAM and NHI teams, the migration window is one of the easiest places for control drift to hide. Change volume, coexistence, and identity remapping can create blind spots that make old access relationships harder to see, harder to certify, and harder to prove closed after cutover.

Key questions

Q: What breaks when Active Directory migration carries old privilege into the target forest?

A: The migration stops being a security improvement and becomes a privilege-preservation exercise. If inherited admin rights, delegation paths, and nested groups move unchanged, the new forest can reproduce the same attack routes as the old one, only with different object names. The control failure is effective access review before cutover.

Q: Why do AD migrations often increase identity risk instead of reducing it?

A: Because migration teams frequently optimise for continuity, not for privilege reduction. Coexistence, trust links, and bulk remapping can preserve access relationships that should have been retired, so attackers may inherit familiar paths into the target environment. The risk is highest when organisations assume a clean cutover equals a clean security posture.

Q: How do organisations know whether SID-History is still creating access risk?

A: They know it is still risky when legacy resources remain reachable through identities that no longer need that continuity. SID-History should be monitored as a temporary bridge, then removed once business need ends. If access cannot be explained in business terms after migration, SID-History is likely carrying unnecessary exposure.

Q: Who is accountable when migration logs are incomplete after cutover?

A: The identity, infrastructure, and security teams share accountability because incomplete logging removes the evidence needed to prove control over access changes. If an incident occurs later, missing logs prevent reconstruction of trust use, remapping decisions, and legacy access persistence. Auditable evidence should be treated as a migration deliverable, not optional documentation.

Technical breakdown

Inherited privilege and group nesting during AD migration

AD migration often copies privilege structures faster than it re-questions them. Domain Admin, Enterprise Admin, nested groups, and delegation shortcuts can transfer into the target forest if teams focus on object movement instead of effective access. The technical failure is not the move itself but the unvalidated inheritance chain, where rights remain functionally equivalent even after the directory structure changes. This is why migration tools can deliver a successful cutover while leaving the same administrative blast radius intact.

Practical implication: Validate effective privileges before cutover, not just object membership after the move.

SID-History, ACL translation, and hidden access continuity

SID-History exists to preserve access continuity, but it also preserves old identity meaning. When it is left in place without governance, an identity can retain access to legacy resources long after the operational reason for that access has disappeared. ACL translation creates a similar risk when permissions are mapped mechanically rather than validated against business need. The result is permission drift that looks like compatibility during migration and like unauthorized access after the fact.

Practical implication: Remove or tightly govern SID-History and verify ACL mappings against actual resource ownership.

Service accounts, coexistence, and forensic blind spots

Service accounts are often the least documented identities in a migration, which makes them the easiest place to lose control. Password dependencies, service ACLs, COM object permissions, and trust relationships can break services or keep them alive on stale rights. Coexistence makes this worse because source and target forests remain connected long enough for compromise to travel across the bridge. If logging and audit trails are incomplete, the organization may not be able to reconstruct what was accessed during the migration period.

Practical implication: Inventory service identities and preserve tamper-evident logs across the entire coexistence window.

Threat narrative

Attacker objective: The attacker wants to preserve or extend access across the migration boundary so the rebuilt forest remains exploitable.

1. Entry occurs through inherited administrative privilege, trust relationships, or preserved SID-History that still grants effective access in the target environment.
2. Escalation follows when nested groups, over-permissive ACLs, or service-account dependencies allow the attacker to move laterally or regain elevated rights.
3. Impact appears as broader breach reach, hidden access continuity, and weak forensic reconstruction after cutover.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

AD migration creates a privilege continuity problem, not just a directory conversion problem. The core failure is that organisations treat object movement as security work when the real issue is whether effective privilege changes at all. If inherited administrative access survives the move, the new forest inherits the old breach surface as well. Practitioners should judge migration success by access reduction, not by cutover completeness.

SID-History is a continuity mechanism that becomes a governance debt when it outlives its purpose. It was designed for transition, not permanence. When the attribute persists after migration, old identity meaning remains attached to new accounts and legacy resources stay reachable through routes the business no longer remembers. The practitioner takeaway is that old access paths do not disappear just because the source domain does.

Service account failure is an identity governance issue, not merely an application outage risk. The article is describing a familiar control gap: undocumented service identities, stale passwords, and hidden rights that can survive because no one owns them end to end. That gap matters because the migration can complete while privilege remains embedded in the service tier. The right interpretation is that application continuity often masks unresolved identity exposure.

Forensic blind spots are one of the most dangerous migration outcomes because they erase accountability after the fact. A rebuilt forest with incomplete logs cannot prove which identities had access, when SID-History was added, or how an attacker moved during coexistence. That means migration is also a test of evidence quality, not just control design. Practitioners should treat auditability as part of the security outcome, not a reporting afterthought.

Identity collision and mis-mapping can turn modernization into accidental overreach. Weak matching logic does not just create cleanliness issues. It can assign the wrong alias, group, or access context to the wrong person, which is a direct governance failure. The implication is that migration tooling needs human verification for identity equivalence, especially where mergers and overlapping directories are involved.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, a pattern that shows identity weaknesses tend to recur rather than disappear.
• For migration programmes, the right next step is to compare those identity exposure patterns with the 52 NHI Breaches Analysis and use the failure modes there to harden coexistence and cutover controls.

What this signals

Legacy access is becoming a migration-specific form of identity debt. When organisations modernise directories without fully revalidating privilege, they create a hidden carry-forward risk that can outlive the project itself. Teams should expect migration to expose gaps in entitlement ownership, especially where service identities and delegated rights were never formally documented.

The migration window should now be treated as a high-value control checkpoint for identity lifecycle governance, not a technical handoff. That means access review, offboarding, and evidence retention must be designed around coexistence, because identity sprawl and audit ambiguity often peak before the cutover is over.

If your programme already struggles with machine identity visibility, use the Ultimate Guide to NHIs , Key Challenges and Risks to frame migration as part of the broader privilege and secrets problem, not a standalone directory project.

For practitioners

• Recalculate effective privilege before cutover Build a pre-migration review of effective access, nested group paths, and delegated admin rights so the target forest does not inherit the source forest's privilege structure.
• Treat SID-History as a temporary transition control Track every SID-History assignment, define removal criteria, and verify that legacy access is no longer required before the migration is declared complete.
• Inventory service identities and their hidden dependencies Document service accounts, passwords, service ACLs, COM object permissions, and trust relationships so application continuity does not depend on undocumented access.
• Preserve audit trails across coexistence and cutover Retain tamper-evident logs for both forests long enough to reconstruct access changes, trust use, and identity remapping decisions after the move.
• Validate identity mapping for mergers and overlaps Require human review for identities with similar names, aliases, or business roles so the wrong person does not inherit the wrong access context.

Key takeaways

• AD migration can preserve the same privilege graph that existed in the source forest, which means a successful cutover may still leave the organisation with the same breach paths.
• SID-History, ACL translation, and undocumented service dependencies are the most common ways old access survives the move, and they often remain invisible until after an incident or audit.
• The control that changes the outcome is not the migration tool itself but validated effective access, temporary transition controls, and auditability across coexistence.

Key terms

• SID-History: A directory attribute that preserves previous security identifiers so users can keep access during migrations. It is useful for continuity, but it also extends the life of old identity permissions, which is why it must be treated as a temporary transition mechanism with explicit removal criteria.
• Privilege continuity: The persistence of effective access across a migration, even when accounts, groups, or forests change. In practice, it means the organisation has moved identities but not reduced the authority they carry, so the new environment may inherit the old one’s attack surface.
• Coexistence window: The period when source and target identity environments are connected during migration. It is often operationally necessary, but it creates a bridge for access, trust, and attack paths unless tightly segmented, logged, and reviewed throughout the cutover.
• Identity collision: A migration failure in which two people, objects, or accounts are mapped together incorrectly because matching logic is too weak. The result can be wrong access, wrong aliases, or wrong group membership, all of which undermine trust in the migration outcome.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Semperis: Active Directory migration risks and why a new forest can still carry old backdoors. Read the original.