Active Directory migration and privilege drift: what teams miss

TL;DR: Active Directory migrations can preserve inherited admin rights, legacy attack paths, SID-History abuse, broken ACLs, and hidden service-account dependencies, creating a rebuilt forest that is operationally clean but security-dirty, according to Semperis. The decisive issue is not cutover success but whether migration removes old privilege relationships before they become a new breach path.

NHIMG editorial — based on content published by Semperis: Active Directory migration risks and why a new forest can still carry old backdoors

By the numbers:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: What breaks when Active Directory migration carries old privilege into the target forest?

A: The migration stops being a security improvement and becomes a privilege-preservation exercise.

Q: Why do AD migrations often increase identity risk instead of reducing it?

A: Because migration teams frequently optimise for continuity, not for privilege reduction.

Q: How do organisations know whether SID-History is still creating access risk?

A: They know it is still risky when legacy resources remain reachable through identities that no longer need that continuity.

Practitioner guidance

• Recalculate effective privilege before cutover Build a pre-migration review of effective access, nested group paths, and delegated admin rights so the target forest does not inherit the source forest's privilege structure.
• Treat SID-History as a temporary transition control Track every SID-History assignment, define removal criteria, and verify that legacy access is no longer required before the migration is declared complete.
• Inventory service identities and their hidden dependencies Document service accounts, passwords, service ACLs, COM object permissions, and trust relationships so application continuity does not depend on undocumented access.

What's in the full article

Semperis's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step migration risk patterns for inherited admin privilege, SID-History, and ACL drift.
• Operational guidance on service-account discovery, dependency mapping, and coexistence controls.
• Additional examples of forensic and audit gaps that can appear after cutover.
• The article's full list of eleven migration risks and how they interact in real projects.

👉 Read Semperis's analysis of the AD migration risks that preserve old attack paths →

Active Directory migration and privilege drift: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →