73%
Of ransomware incidents in 2025 involved Domain Admin credential abuse (Mandiant M-Trends)
5
Commands required to surface complete Domain Admin exposure including nested groups and equivalent privileges
10 min
Time to complete a full Domain Admin audit using built-in PowerShell Active Directory module
4
Privileged group categories beyond Domain Admins that grant equivalent domain-wide control

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The most common answer to 'how do I find all my Domain Admins' is 'check the Domain Admins group.' That answer misses three of the four ways an account can have Domain Admin equivalent access.

The complete audit requires five commands and checks five distinct privilege vectors. This guide provides all five, explains why each matters, and identifies the ones most commonly overlooked in post-incident reviews.

Why Domain Admins Group Membership Alone Is Not Enough

An account achieves Domain Admin equivalent access through four paths:

  1. Direct membership in the Domain Admins group: the obvious one
  2. Membership in a group nested inside Domain Admins: a group called 'IT-Leads' added to Domain Admins gives every member of 'IT-Leads' full DA rights, but they do not appear in the Domain Admins group directly
  3. Membership in equivalent privileged groups: Administrators, Schema Admins, Enterprise Admins, Group Policy Creator Owners, and Account Operators all grant domain-wide privileges equivalent to or exceeding Domain Admin for specific attack paths
  4. Unconstrained Kerberos delegation: accounts or computers configured for unconstrained Kerberos delegation can be used to obtain Domain Admin TGT tickets when any privileged user authenticates to them

Post-incident investigations consistently find compromised accounts that were not in the Domain Admins group but had DA-equivalent access through one of the other three paths. Attackers who perform AD reconnaissance using tools like BloodHound identify all four paths: your audit should too.

The Five Commands

Run these from a workstation with the Active Directory PowerShell module installed (available on any domain-joined machine with RSAT tools).

Command 1: Direct Domain Admins group members (including nested)

Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, ObjectClass | Sort-Object Name

The -Recursive flag resolves nested group membership. Without it, you see groups, not the users inside them.

Command 2: All equivalent privileged group members

$privGroups = @("Administrators", "Schema Admins", "Enterprise Admins", "Group Policy Creator Owners", "Account Operators", "Backup Operators", "Print Operators")
foreach ($group in $privGroups) {
    Write-Host "=== $group ==="
    Get-ADGroupMember -Identity $group -Recursive 2>$null | Select-Object Name, SamAccountName, ObjectClass
}

This surfaces members of all groups that grant domain-wide or privileged access. Schema Admins membership can modify the AD schema: equal to or greater than DA for certain attacks. Backup Operators can read any file on any domain member server.

Command 3: Accounts protected by AdminSDHolder

Get-ADUser -LDAPFilter "(admincount=1)" -Properties admincount, LastLogonDate, PasswordLastSet | Select-Object Name, SamAccountName, Enabled, LastLogonDate, PasswordLastSet | Sort-Object LastLogonDate

AdminSDHolder sets admincount=1 on accounts that are or were members of protected groups. Accounts that were removed from privileged groups years ago may still retain the AdminSDHolder ACL protection: and the elevated permissions it confers: if the SDProp process was not run to clean them up.

Command 4: Accounts with unconstrained Kerberos delegation

Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation | Select-Object Name, SamAccountName
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation | Select-Object Name, DNSHostName

Any account or computer with unconstrained delegation is a target for the printer bug / SpoolSample technique: when a Domain Controller authenticates to a machine with unconstrained delegation, the DC's TGT can be captured and used to perform DCSync, giving an attacker Domain Admin credentials.

Command 5: Service accounts with privileged access (often overlooked)

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, MemberOf, admincount | Where-Object {$_.admincount -eq 1 -or $_.MemberOf -match "Domain Admins|Administrators"} | Select-Object Name, SamAccountName, ServicePrincipalName

Service accounts with SPNs registered (which enables Kerberoasting) that also have privileged group membership are the highest-risk finding in most AD environments. An attacker who obtains a Kerberoastable hash for a service account with DA rights has a path to Domain Admin without requiring interactive login.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

What to Do With the Results

Export all five command outputs to CSV and combine them:

# Example for Command 1
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, ObjectClass | Export-Csv -Path C:\ADaudit\domain_admins.csv -NoTypeInformation

For each account in the combined output, ask four questions:

  1. Is this account still active? Disabled accounts in privileged groups cannot be used directly but their group memberships are preserved: they can be re-enabled by anyone with sufficient AD rights. Remove disabled accounts from all privileged groups.

  2. Does this account legitimately require Domain Admin access? Most operations attributed to DA accounts do not actually require DA. Patch management can use local admin. Backup agents should use a dedicated low-privilege account. AD read queries require no privileges. The default answer should be 'no': require the account owner to justify it.

  3. When did this account last log in? A DA account that has not been used in 180 days is likely stale. Stale DA accounts are prime targets for attackers because they often have weak or unchanged passwords and their logon activity does not generate noise that would indicate compromise.

  4. Does this service account have a SPN and privileged membership? That combination needs to be fixed immediately: either remove the DA membership (preferred) or use a managed service account (gMSA) with a 120-character randomly generated password that rotates automatically.

BloodHound for Attack Path Analysis

The five commands above find direct and one-level-nested privilege paths. BloodHound (open source, from SpecterOps) finds every attack path to Domain Admin in your environment: including multi-hop privilege escalation chains that PowerShell commands do not surface.

BloodHound ingests AD data via the SharpHound collector and builds a graph database of all relationships between accounts, groups, computers, and permissions. A query like 'find all shortest paths to Domain Admin' surfaces chains like:

  • User A is a member of Group B
  • Group B has GenericAll rights on Group C
  • Group C is a member of Domain Admins

User A can reach Domain Admin through three hops that your five-command audit would not catch because User A is not in any privileged group.

BloodHound is the tool attackers use for this reconnaissance. Using it yourself gives you the same attack path visibility before the attacker does. Run BloodHound in read-only mode against a non-production AD snapshot if you need to minimize risk during the initial audit.

The bottom line

A complete Domain Admin audit requires five commands covering five privilege vectors: direct Domain Admins members (with recursion for nested groups), equivalent privileged group members, accounts with AdminSDHolder protection, unconstrained Kerberos delegation targets, and Kerberoastable service accounts with privileged membership. Checking the Domain Admins group alone misses the majority of DA-equivalent exposure found in post-incident reviews. Run the audit, export to CSV, and require every DA-equivalent account to justify its privilege level or be removed.

Frequently asked questions

How do I find all Domain Admin accounts in Active Directory?

Run Get-ADGroupMember -Identity 'Domain Admins' -Recursive to find all direct and nested DA members. Then also check Administrators, Schema Admins, Enterprise Admins, and Backup Operators groups, query for admincount=1 users, and check for unconstrained Kerberos delegation: all four vectors grant Domain Admin equivalent access without appearing in the Domain Admins group directly.

Why is checking the Domain Admins group not enough for a DA audit?

Nested group membership, equivalent privileged groups (Schema Admins, Enterprise Admins), AdminSDHolder-protected accounts, and unconstrained Kerberos delegation all grant Domain Admin equivalent access without requiring direct Domain Admins group membership. Attackers check all four paths; your audit should too.

How many Domain Admin accounts should an organization have?

Microsoft's recommended maximum is two named DA accounts per domain for breakglass purposes: one for each of two administrators in case one is unavailable. Most organizations have far more. Every additional DA account increases the attack surface because credential compromise of any one DA account gives full domain control. Service accounts, helpdesk accounts, and manager accounts should never have DA membership: those operations require only the specific permissions for the task, not full domain control.

How do I find stale Domain Admin accounts in Active Directory?

Run: Get-ADGroupMember -Identity 'Domain Admins' -Recursive | Get-ADUser -Properties LastLogonDate, Enabled | Select-Object Name, SamAccountName, LastLogonDate, Enabled | Sort-Object LastLogonDate. Accounts with LastLogonDate more than 90 days ago are candidates for review. Disabled accounts with DA membership should be removed immediately. For service accounts, check LastLogonDate against known maintenance window schedules before removing.

What should I do with Domain Admin accounts found during an audit?

For each DA account: if disabled, remove from all privileged groups immediately. If stale (no logon in 90+ days), contact the owner, confirm the account is still needed, and either reconfirm or remove. If a service account, work with the application team to replace the DA privilege with a least-privilege service account or gMSA. If a personal account used for routine tasks, provision a separate breakglass account for DA operations and remove DA from the primary account. Document every change with a ticket number for audit trail purposes.

How do I detect if someone has added a new account to Domain Admins in Active Directory?

Detecting unauthorized additions to privileged groups in Active Directory requires two controls working together: audit policy configuration and a SIEM alert rule. On the audit policy side, enable 'Audit Security Group Management' under Advanced Audit Policy Configuration on your domain controllers (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management). This generates Windows Security Event ID 4728 whenever a member is added to a security-enabled global group and Event ID 4756 for universal group additions. Both events fire when Domain Admins membership changes. In your SIEM, create an alert rule targeting Event ID 4728 where the group name field contains 'Domain Admins,' 'Schema Admins,' or 'Enterprise Admins.' Set this alert to Critical severity with an immediate notification path: unauthorized Domain Admin addition is one of the highest-fidelity indicators of active compromise in an environment. The alert should include the account that was added, the account that performed the addition, the domain controller that processed the change, and the timestamp. Run this alert against 30 days of historical data to establish baseline: in a well-managed environment, there should be near-zero events, and any that exist should correspond to documented change tickets.

Sources & references

  1. Microsoft: Active Directory Security Best Practices
  2. CISA: Active Directory Security Advisory
  3. BloodHound: Attack Path Analysis

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.