Active Directory misconfigurations keep powering identity attacks

At a glance

What this is: This analysis argues that Active Directory attack paths are usually created by misconfiguration, not advanced exploitation.

Why it matters: It matters because AD still anchors enterprise identity, so mismanaged privileges, accounts, and legacy settings can turn a single foothold into broad access.

👉 Read One Identity's analysis of Active Directory misconfiguration risk and hardening steps

Context

Active Directory misconfiguration is an IAM governance problem first and a threat problem second. When privileges accumulate, stale accounts remain active, and legacy authentication is left in place, attackers can move through identity paths that defenders already own but do not consistently control. For practitioners, the issue is not whether AD is central. It is whether the control model around it is still fit for a modern NHI and human identity mix.

That governance gap is well understood across broader NHI practice. The same lifecycle failures that weaken service accounts also weaken AD: access granted too broadly, credentials left in place too long, and ownership left ambiguous after role changes. The underlying pattern is familiar enough that the NHI Lifecycle Management Guide should be treated as a baseline reference for any team trying to reduce identity drift.

Key questions

Q: How should teams reduce the attack surface of Active Directory identities?

A: Start by removing standing privilege, then shorten the lifetime of every elevated grant. Pair privileged access reviews with automation for deprovisioning, service account ownership, and legacy protocol removal. The goal is to reduce identity blast radius before an attacker can turn one valid login into broad domain access.

Q: When does just-in-time access make more sense than permanent admin rights?

A: JIT access makes the most sense when elevated rights are needed for specific tasks rather than continuous operation. It reduces standing exposure, limits the value of stolen credentials, and makes reviews easier. If your teams cannot justify persistent admin access, it is usually a sign the role is too broad.

Q: What is the difference between service account risk and user account risk in AD?

A: User accounts usually represent direct human access, while service accounts often support applications, scripts, and infrastructure with broader or longer-lived permissions. That makes service accounts harder to notice and more dangerous when poorly managed. They need tighter lifecycle control, stronger rotation, and explicit ownership.

Q: Why do legacy authentication settings create ongoing identity risk?

A: Legacy settings preserve compatibility but also preserve weak assurance. Older protocols, broad password acceptance, and exception-heavy configurations give attackers more ways to capture, replay, or crack credentials. The longer those settings stay in place, the more likely they are to become the easiest path into the environment.

Technical breakdown

Why Active Directory misconfigurations become attack paths

AD is attractive to attackers because it concentrates trust. Once they obtain any valid foothold, they can enumerate groups, trusts, delegated permissions, and authentication paths without needing an exploit that breaks the platform itself. Misconfigurations create the path by making ordinary identity operations more permissive than the business intended. Over time, those gaps compound through administration, mergers, legacy integrations, and exceptions that were never removed. The result is not a single broken control but a network of small policy failures that collectively enable recon, privilege escalation, and lateral movement.

Practical implication: Treat AD review as continuous control validation, not a periodic hygiene task.

Excessive privileges, stale accounts, and service account risk

The article highlights three recurring failure modes. Excessive privileges widen blast radius, stale accounts create unnoticed entry points, and poorly managed service accounts become durable targets because their credentials rarely change. Service accounts are especially dangerous because they often carry higher permissions than human users and are used by applications that security teams hesitate to disturb. In practice, these identities behave like non-human identities with human-grade reach but weaker oversight. That combination makes them ideal for stealthy abuse after initial compromise.

Practical implication: Map every privileged and service identity to an owner, purpose, and expiry rule.

Legacy authentication and weak credential policy in AD

Legacy protocols remain dangerous because they preserve backward compatibility at the cost of stronger assurance. If NTLM variants, weak password rules, or broad password reuse persist, attackers can use credential capture, spraying, or offline cracking to turn weak authentication into durable access. The key issue is not only technical weakness but policy inertia. Teams often keep old settings because they support old systems, even when those systems no longer justify the trust model they inherit.

Practical implication: Disable legacy authentication paths where possible and tie exceptions to explicit business risk acceptance.

Threat narrative

Attacker objective: The attacker seeks durable insider access that lets them control identity, move laterally, and exfiltrate data or deploy ransomware.

1. Entry occurs when an attacker gains a low-privilege foothold through phishing, credential theft, or another routine compromise and then begins mapping AD.
2. Escalation follows when the attacker targets over-privileged accounts, weak service accounts, or stale identities to obtain higher rights without triggering obvious alarms.
3. Impact comes when the attacker uses legitimate AD credentials to move laterally, access sensitive data, or deploy ransomware while blending into normal administrative activity.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Azure Key Vault privilege escalation exposure — Azure Key Vault Contributor role misconfiguration enabled privilege escalation.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Misconfiguration is the real AD attack surface. The article is right to center everyday drift rather than rare exploit chains. In enterprise identity, attackers usually win by finding the gap between intended control and actual control. That means the security problem is governance quality, not just technical hardening, and practitioners should measure AD by exception volume, privilege sprawl, and identity ownership discipline.

Active Directory behaves like a high-risk NHI ecosystem. Service accounts, automated jobs, and delegated admin rights are non-human identities in practice, even when teams do not label them that way. They need lifecycle rules, scoped permissions, and rotation controls because persistence, not novelty, is what creates risk. Teams that separate human IAM from machine identity governance will keep missing the same failure modes.

Least privilege only works when it is operationalised. The article correctly points to JIT, tiered administration, and removal of dormant access, but those controls fail if reviews are manual and exceptions are unmanaged. The field should treat privileged access as temporary by default and verify that account ownership, purpose, and expiry are enforced. Practitioners should assume every standing admin grant becomes future attack surface.

Identity blast radius: the practical measure of how far one compromised identity can move inside AD. The larger the blast radius, the more quickly a small mistake becomes a domain-wide incident. That concept should guide architecture reviews, because reducing blast radius is usually more effective than adding another detection layer after the fact.

Modern AD defense is really lifecycle defense. The controls in the article, from MFA to service account management to automated deprovisioning, all reduce one thing: the number of identities an attacker can turn into durable access. That aligns with where NHI governance is heading. Practitioners should build controls that make identity exposure shorter, narrower, and easier to audit.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• 67% of organisations still rely heavily on static credentials despite the risks they pose to agentic AI deployments.
• The governance response is captured in the NHI Lifecycle Management Guide, which is the right next read when access scope and identity duration are the real problem.

What this signals

With 70% of organisations already granting AI systems more access than they would give a human employee performing the exact same job, the governance lesson extends beyond AI into the wider identity stack. AD teams that still tolerate standing privilege and broad inheritance are normalising the same access pattern in a more familiar environment. The practical signal is that blast-radius reduction now matters across both human and non-human identities.

Standing privilege debt: the cumulative risk created when temporary administrative needs become permanent access. That debt shows up in AD as dormant group memberships, stale service accounts, and exceptions that never expire. Teams should treat every unreviewed grant as future remediation work and move toward shorter-lived access by default.

The next programme-level shift is integration, not more point controls. Identity governance, PAM, lifecycle automation, and legacy protocol removal need to operate as one control plane for access risk. Practitioners who connect those controls to Top 10 NHI Issues and NIST Cybersecurity Framework 2.0 will have a clearer path from findings to remediation.

For practitioners

• Inventory privileged AD groups and custom admin roles Review Domain Admins, Enterprise Admins, and custom elevated groups for users who no longer need standing access. Require a named owner, business justification, and review date for every membership change.
• Move high-risk administration to JIT access Grant elevated rights only for a defined task window, then revoke them automatically. Pair JIT with tiered admin workstations so privileged credentials are never exposed on standard endpoints.
• Replace weak service accounts with managed identities Where possible, transition legacy service accounts to gMSAs and enforce long passwords for exceptions that cannot yet change. Track each service account’s purpose, application dependency, and rotation owner.
• Automate account disablement on role change or exit Link HR events to AD lifecycle actions so departed users and role-changed accounts are disabled quickly. Add a secondary sweep for accounts inactive for 30 to 60 days to catch orphaned access.
• Eliminate legacy authentication paths Audit for NTLM and other backward-compatibility settings that weaken assurance, then remove them wherever application dependencies allow. Use exception handling only when the business owner accepts the residual risk.

Key takeaways

• Active Directory is most often breached through misconfiguration, privilege sprawl, and weak lifecycle controls rather than novel exploits.
• Service accounts, stale identities, and legacy authentication settings create durable attack paths that defenders often overlook.
• The most effective response is operational discipline: least privilege, JIT administration, automated offboarding, and continuous review of inherited trust.

Key terms

• Active Directory Privilege Sprawl: Active Directory privilege sprawl is the gradual accumulation of unnecessary administrative rights across users, groups, and delegated roles. It usually happens through operational exceptions that never get removed. Over time, it increases blast radius and makes compromise of a single account far more consequential.
• Group Managed Service Account: A Group Managed Service Account is a Windows-managed service identity designed to reduce manual password handling. It automatically rotates complex credentials and is intended for applications and services that need non-human access with less exposure than a traditional service account.
• Just-in-Time Administration: Just-in-Time administration grants elevated access only for a limited task window and then removes it automatically. It reduces standing privilege, narrows the usefulness of stolen credentials, and makes privileged access easier to audit than always-on admin rights.
• Identity Blast Radius: Identity blast radius is the amount of damage a compromised identity can cause before access is contained. In AD, it depends on privilege level, delegation, inherited group membership, and how broadly the identity can move across systems once authenticated.

Deepen your knowledge

Active Directory misconfiguration defense and least-privilege administration are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your team is tightening identity governance across human and non-human access, it is worth exploring.

This post draws on content published by One Identity: Active Directory under attack: Best practices to defend and protect your organization. Read the original.