Book a Pentest

Privileged Group Sprawl and Tier-0 Bleed

Description

Privileged group sprawl occurs when powerful Active Directory groups (such as Domain Admins, Enterprise Admins, Administrators, and built‑in operator groups) accumulate too many members, nested groups, and service accounts. Without strict tiering, just one compromised account in these groups can lead to full domain or forest compromise. Common issues include helpdesk or vendor accounts added “temporarily” and never removed, unconstrained nesting from legacy domains, and Tier‑0 groups being used for routine administration.

Examples

Enumerate Tier-0 Groups and Members

From a domain‑joined host, list direct members of key privileged groups:

$Tier0Groups = @(
  'Domain Admins',
  'Enterprise Admins',
  'Administrators',
  'Schema Admins',
  'DnsAdmins',
  'Account Operators',
  'Backup Operators'
)

foreach ($g in $Tier0Groups) {
  Write-Host "=== $g ==="
  Get-ADGroupMember -Identity $g -Recursive | Select-Object Name,SamAccountName,ObjectClass
}

Look for non-admin human users, vendor accounts, and service accounts that do not need Tier‑0 privileges.

Identify Privileged Access via Nested Groups

Use PowerView or BloodHound to find transitive membership paths:

# PowerView example
Get-DomainGroupMember -Identity 'Domain Admins' -Recurse | Select-Object MemberName,MemberObjectClass

Nested groups from legacy domains or application‑specific groups often provide unexpected Domain Admin rights.

Spot Service and Computer Accounts in Privileged Groups

Service and computer accounts in Tier‑0 groups increase the attack surface:

Get-ADGroupMember 'Domain Admins' -Recursive |
  Where-Object { $_.objectClass -in @('computer','user') } |
  Get-ADObject -Properties ServicePrincipalName |
  Where-Object { $_.ServicePrincipalName } |
  Select-Object Name,SamAccountName,ServicePrincipalName

These accounts are frequently used with weak or shared credentials and may be exposed through Kerberoasting or password reuse.

Remediation

  1. Define and enforce a tiering model
    • Separate Tier‑0 (DCs, PKI, ADFS, core identity services) from lower tiers.
    • Only Tier‑0 admins should be in forest‑ and domain‑level privileged groups.
  2. Minimise privileged group membership
    • Remove human users and service accounts that do not strictly require Tier‑0 access.
    • Replace standing membership with JIT/JEA models (e.g., PIM, temporary elevation).
  3. Clean up nested groups and legacy memberships
    • Flatten or remove legacy and unused groups that transitively grant Domain Admin‑level rights.
    • Document remaining privileged groups and their intended scope.
  4. Monitor changes to Tier-0 groups
    • Alert on additions/removals in Domain Admins, Enterprise Admins, and similar groups.
    • Periodically recertify membership with management sign‑off and automate reviews where possible.