Notifications
Clear all
Topic starter
25/06/2026 3:18 pm
TL;DR: A design flaw in Windows Server 2025 delegated Managed Service Accounts, called Golden dMSA, can enable password generation, cross-domain lateral movement, and indefinite persistence across Active Directory resources, according to Semperis research. The issue shows how identity controls for machine accounts can fail when the underlying password structure is predictable, not just poorly managed.
NHIMG editorial — based on content published by Semperis: Golden dMSA research on delegated Managed Service Accounts in Windows Server 2025
By the numbers:
- Semperis says over 100 million identities are protected by its technology across hybrid and multi-cloud environments.
- Only 5.7% of organisations have full visibility into their service accounts.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: What breaks when delegated Managed Service Accounts can be derived offline?
A: The trust model breaks first.
Q: Why do machine identities create larger lateral movement risk than teams expect?
A: Machine identities often have wider, longer-lived access than human users and are embedded in application dependencies.
Q: How do security teams know when service account governance is failing?
A: A warning sign is any account with broad reach, unclear ownership, or access that outlives the application or team that created it.
Practitioner guidance
- Review delegated Managed Service Accounts for derivation risk Identify whether any dMSA implementations rely on predictable password material or weak entropy assumptions.
- Map cross-domain trust paths for every managed service account Build a directory-level inventory of where each managed service account can authenticate, what resources it can reach, and which trust relationships extend that access.
- Tie machine-account revocation to ownership changes Offboarding and reassignment should revoke or reissue managed service account access when the system owner, vendor relationship, or application dependency changes.
What's in the full report
Semperis' full research covers the operational detail this post intentionally leaves for the source:
- A step-by-step explanation of how GoldenDMSA models the attack logic for simulation and study.
- Technical discussion of the ManagedPasswordId structure and why 1,024 combinations make brute force practical.
- Semperis' own detection and response context for Windows Server 2025 delegated Managed Service Accounts.
- Related research threads on nOauth, BadSuccessor, and Silver SAML for practitioners tracking adjacent identity attack paths.
👉 Read Semperis' research on Golden dMSA and delegated Managed Service Accounts →
Golden dMSA and managed service accounts: what identity teams need?
Explore further
25/06/2026 4:45 pm
Golden dMSA is an identity design flaw, not a routine misconfiguration. The problem is that delegated Managed Service Accounts were built on assumptions about password structure and trust containment that do not hold once the identity primitive is enumerable. When the password basis can be derived from a small search space, the account ceases to be a protected secret and becomes a recoverable access object. For practitioners, the implication is that dMSA risk has to be assessed at the identity-design layer, not only at the server-hardening layer.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: What should teams do first after discovering a privileged machine identity flaw?
A: Contain the trust boundary before you try to clean up the account state. That means isolating affected domains, revoking unnecessary delegation, and validating which dependent systems still require the identity. If persistence is possible, response has to assume the attacker may still hold access after the initial fix.
👉 Read our full editorial: Golden dMSA exposes a new Active Directory persistence flaw
