How to Find Every Domain Admin Account in Active Directory Right Now

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The most common answer to 'how do I find all my Domain Admins' is 'check the Domain Admins group.' That answer misses three of the four ways an account can have Domain Admin equivalent access.
The complete audit requires five commands and checks five distinct privilege vectors. This guide provides all five, explains why each matters, and identifies the ones most commonly overlooked in post-incident reviews.
Why Domain Admins Group Membership Alone Is Not Enough
An account achieves Domain Admin equivalent access through four paths:
- Direct membership in the Domain Admins group: the obvious one
- Membership in a group nested inside Domain Admins: a group called 'IT-Leads' added to Domain Admins gives every member of 'IT-Leads' full DA rights, but they do not appear in the Domain Admins group directly
- Membership in equivalent privileged groups: Administrators, Schema Admins, Enterprise Admins, Group Policy Creator Owners, and Account Operators all grant domain-wide privileges equivalent to or exceeding Domain Admin for specific attack paths
- Unconstrained Kerberos delegation: accounts or computers configured for unconstrained Kerberos delegation can be used to obtain Domain Admin TGT tickets when any privileged user authenticates to them
Post-incident investigations consistently find compromised accounts that were not in the Domain Admins group but had DA-equivalent access through one of the other three paths. Attackers who perform AD reconnaissance using tools like BloodHound identify all four paths: your audit should too.
The Five Commands
Run these from a workstation with the Active Directory PowerShell module installed (available on any domain-joined machine with RSAT tools).
Command 1: Direct Domain Admins group members (including nested)
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, ObjectClass | Sort-Object Name
The -Recursive flag resolves nested group membership. Without it, you see groups, not the users inside them.
Command 2: All equivalent privileged group members
$privGroups = @("Administrators", "Schema Admins", "Enterprise Admins", "Group Policy Creator Owners", "Account Operators", "Backup Operators", "Print Operators")
foreach ($group in $privGroups) {
Write-Host "=== $group ==="
Get-ADGroupMember -Identity $group -Recursive 2>$null | Select-Object Name, SamAccountName, ObjectClass
}
This surfaces members of all groups that grant domain-wide or privileged access. Schema Admins membership can modify the AD schema: equal to or greater than DA for certain attacks. Backup Operators can read any file on any domain member server.
Command 3: Accounts protected by AdminSDHolder
Get-ADUser -LDAPFilter "(admincount=1)" -Properties admincount, LastLogonDate, PasswordLastSet | Select-Object Name, SamAccountName, Enabled, LastLogonDate, PasswordLastSet | Sort-Object LastLogonDate
AdminSDHolder sets admincount=1 on accounts that are or were members of protected groups. Accounts that were removed from privileged groups years ago may still retain the AdminSDHolder ACL protection: and the elevated permissions it confers: if the SDProp process was not run to clean them up.
Command 4: Accounts with unconstrained Kerberos delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation | Select-Object Name, SamAccountName
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation | Select-Object Name, DNSHostName
Any account or computer with unconstrained delegation is a target for the printer bug / SpoolSample technique: when a Domain Controller authenticates to a machine with unconstrained delegation, the DC's TGT can be captured and used to perform DCSync, giving an attacker Domain Admin credentials.
Command 5: Service accounts with privileged access (often overlooked)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName, MemberOf, admincount | Where-Object {$_.admincount -eq 1 -or $_.MemberOf -match "Domain Admins|Administrators"} | Select-Object Name, SamAccountName, ServicePrincipalName
Service accounts with SPNs registered (which enables Kerberoasting) that also have privileged group membership are the highest-risk finding in most AD environments. An attacker who obtains a Kerberoastable hash for a service account with DA rights has a path to Domain Admin without requiring interactive login.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
What to Do With the Results
Export all five command outputs to CSV and combine them:
# Example for Command 1
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select-Object Name, SamAccountName, ObjectClass | Export-Csv -Path C:\ADaudit\domain_admins.csv -NoTypeInformation
For each account in the combined output, ask four questions:
-
Is this account still active? Disabled accounts in privileged groups cannot be used directly but their group memberships are preserved: they can be re-enabled by anyone with sufficient AD rights. Remove disabled accounts from all privileged groups.
-
Does this account legitimately require Domain Admin access? Most operations attributed to DA accounts do not actually require DA. Patch management can use local admin. Backup agents should use a dedicated low-privilege account. AD read queries require no privileges. The default answer should be 'no': require the account owner to justify it.
-
When did this account last log in? A DA account that has not been used in 180 days is likely stale. Stale DA accounts are prime targets for attackers because they often have weak or unchanged passwords and their logon activity does not generate noise that would indicate compromise.
-
Does this service account have a SPN and privileged membership? That combination needs to be fixed immediately: either remove the DA membership (preferred) or use a managed service account (gMSA) with a 120-character randomly generated password that rotates automatically.
BloodHound for Attack Path Analysis
The five commands above find direct and one-level-nested privilege paths. BloodHound (open source, from SpecterOps) finds every attack path to Domain Admin in your environment: including multi-hop privilege escalation chains that PowerShell commands do not surface.
BloodHound ingests AD data via the SharpHound collector and builds a graph database of all relationships between accounts, groups, computers, and permissions. A query like 'find all shortest paths to Domain Admin' surfaces chains like:
- User A is a member of Group B
- Group B has GenericAll rights on Group C
- Group C is a member of Domain Admins
User A can reach Domain Admin through three hops that your five-command audit would not catch because User A is not in any privileged group.
BloodHound is the tool attackers use for this reconnaissance. Using it yourself gives you the same attack path visibility before the attacker does. Run BloodHound in read-only mode against a non-production AD snapshot if you need to minimize risk during the initial audit.
The bottom line
A complete Domain Admin audit requires five commands covering five privilege vectors: direct Domain Admins members (with recursion for nested groups), equivalent privileged group members, accounts with AdminSDHolder protection, unconstrained Kerberos delegation targets, and Kerberoastable service accounts with privileged membership. Checking the Domain Admins group alone misses the majority of DA-equivalent exposure found in post-incident reviews. Run the audit, export to CSV, and require every DA-equivalent account to justify its privilege level or be removed.
Frequently asked questions
How do I find all Domain Admin accounts in Active Directory?
Run Get-ADGroupMember -Identity 'Domain Admins' -Recursive to find all direct and nested DA members. Then also check Administrators, Schema Admins, Enterprise Admins, and Backup Operators groups, query for admincount=1 users, and check for unconstrained Kerberos delegation: all four vectors grant Domain Admin equivalent access without appearing in the Domain Admins group directly.
Why is checking the Domain Admins group not enough for a DA audit?
Nested group membership, equivalent privileged groups (Schema Admins, Enterprise Admins), AdminSDHolder-protected accounts, and unconstrained Kerberos delegation all grant Domain Admin equivalent access without requiring direct Domain Admins group membership. Attackers check all four paths; your audit should too.
How many Domain Admin accounts should an organization have?
Microsoft's recommended maximum is two named DA accounts per domain for breakglass purposes: one for each of two administrators in case one is unavailable. Most organizations have far more. Every additional DA account increases the attack surface because credential compromise of any one DA account gives full domain control. Service accounts, helpdesk accounts, and manager accounts should never have DA membership: those operations require only the specific permissions for the task, not full domain control.
How do I find stale Domain Admin accounts in Active Directory?
Run: Get-ADGroupMember -Identity 'Domain Admins' -Recursive | Get-ADUser -Properties LastLogonDate, Enabled | Select-Object Name, SamAccountName, LastLogonDate, Enabled | Sort-Object LastLogonDate. Accounts with LastLogonDate more than 90 days ago are candidates for review. Disabled accounts with DA membership should be removed immediately. For service accounts, check LastLogonDate against known maintenance window schedules before removing.
What should I do with Domain Admin accounts found during an audit?
For each DA account: if disabled, remove from all privileged groups immediately. If stale (no logon in 90+ days), contact the owner, confirm the account is still needed, and either reconfirm or remove. If a service account, work with the application team to replace the DA privilege with a least-privilege service account or gMSA. If a personal account used for routine tasks, provision a separate breakglass account for DA operations and remove DA from the primary account. Document every change with a ticket number for audit trail purposes.
How do I detect if someone has added a new account to Domain Admins in Active Directory?
Detecting unauthorized additions to privileged groups in Active Directory requires two controls working together: audit policy configuration and a SIEM alert rule. On the audit policy side, enable 'Audit Security Group Management' under Advanced Audit Policy Configuration on your domain controllers (Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management). This generates Windows Security Event ID 4728 whenever a member is added to a security-enabled global group and Event ID 4756 for universal group additions. Both events fire when Domain Admins membership changes. In your SIEM, create an alert rule targeting Event ID 4728 where the group name field contains 'Domain Admins,' 'Schema Admins,' or 'Enterprise Admins.' Set this alert to Critical severity with an immediate notification path: unauthorized Domain Admin addition is one of the highest-fidelity indicators of active compromise in an environment. The alert should include the account that was added, the account that performed the addition, the domain controller that processed the change, and the timestamp. Run this alert against 30 days of historical data to establish baseline: in a well-managed environment, there should be near-zero events, and any that exist should correspond to documented change tickets.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
