TL;DR: Active Directory still concentrates the most powerful privileged access in many organisations, and delegated or custom permissions can be as impactful as Domain Admin membership, according to Paramount Defenses. The real governance problem is effective permissions, not just group membership, because one unidentified account can expose the domain.
NHIMG editorial — based on content published by Paramount Defenses: Privileged access and the keys to the kingdom in Active Directory
By the numbers:
- At 85% of all organizations worldwide, the vast majority of all powerful privileged access resides in Active Directory.
Questions worth separating out
Q: How should teams identify privileged access in Active Directory beyond Domain Admins?
A: Teams should assess effective permissions on high-value directory objects, not just membership in default admin groups.
Q: Why do delegated administrators create hidden privilege risk in Active Directory?
A: Delegated administrators can control users, groups, computers, or OUs without appearing in obvious admin groups.
Q: What do security teams get wrong about privileged access reviews in Active Directory?
A: They often mistake visible group membership for complete privilege visibility.
Practitioner guidance
- Inventory effective permissions on high-value AD objects Assess who can modify the domain root, Domain Admin membership, GPO links, trust relationships, and privileged OU ownership.
- Map Domain Admin equivalent tasks to real identities Create a control matrix that ties each high-impact task to the users, delegated admins, and service accounts that can perform it.
- Review delegated administration as privileged access Treat delegated rights over users, groups, computers, and OUs as privileged access during PAM and IGA review cycles.
What's in the full article
Paramount Defenses' full article covers the operational detail this post intentionally leaves for the source:
- The full breakdown of Domain Admin equivalent tasks and how they map to real access paths in Active Directory
- Examples of delegated permissions that can effectively control users, groups, computers, and OUs
- The article's step-by-step logic for assessing effective permissions across privileged objects
- Additional examples of default privileged groups and administrative delegation scenarios
👉 Read Paramount Defenses' analysis of privileged access in Active Directory →
Active Directory privileged access: are your controls missing delegated admins?
Explore further
Effective permissions are the real privilege boundary in Active Directory. Group membership alone does not describe what an identity can actually do when ACLs, delegated rights, and ownership changes are in play. Organisations that continue to review only named admin groups are measuring the wrong layer of authority. Practitioners should treat permission analysis as the control surface, not the inventory output.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who should be included when reviewing Domain Admin equivalent access?
A: The review should include human admins, delegated administrators, and service accounts that can change privileged objects or policies. If an identity can modify users, groups, OUs, trusts, or replication-related settings, it belongs in the privileged access population even if it is not in a default admin group.
👉 Read our full editorial: Active Directory privileged access is still the keys to the kingdom