Active Directory still sits at the heart of most enterprise networks, and it still gets compromised through the same handful of mistakes. The depressing part is that none of these mistakes are new. Many were documented over a decade ago. Yet they keep showing up in environment after environment because Active Directory rewards convenience and quietly punishes the consequences. Understanding how attackers reach domain admin teaches you exactly where to spend your hardening effort.
Kerberoasting Lives On
Service accounts with weak passwords and a service principal name attached remain the gift that keeps on giving. Any authenticated user can request a service ticket for these accounts, take the resulting blob away, and crack it offline at leisure. Modern hardware crunches through standard dictionary lists at remarkable speed, so anything short of a long, random password tends to fall in hours. Regular internal network penetration testing surfaces every kerberoastable account in your domain. The fix is dull but effective: long passwords, group managed service accounts where possible, and tight monitoring on service ticket requests.
AS-REP Roasting and Pre-Authentication
Accounts configured with Kerberos pre-authentication disabled produce another offline crackable blob, and these accounts often slip in through migrations or third-party integrations. The setting is not flagged prominently in the AD console, so it persists quietly until someone runs Rubeus or its equivalent during an assessment. Auditing for this configuration is a five-minute job that rarely happens until the first time it shows up in a report. Once you check, you may find more accounts than you expected.
Expert Commentary
Name: William Fieldhouse
Title: Director of Aardwolf Security Ltd
Comments: I have lost count of the engagements where domain admin came down to a single weak service account password, sometimes set during installation a decade earlier. The account had elevated rights, was never rotated, and never appeared on anyone’s radar. The sophistication of the attack was zero. The impact was total.
Delegation Misconfigurations Cut Both Ways
Unconstrained delegation, constrained delegation, and resource-based constrained delegation each have their place, but each can be turned against you when configured carelessly. A computer with unconstrained delegation enabled can capture privileged Kerberos tickets and impersonate users elsewhere. Resource-based constrained delegation has been weaponised in published attack chains for years. Review every delegation configuration in your domain at least annually, ideally with the help of a tool such as BloodHound that visualises the relationships and surfaces the dangerous ones.
Privileged Group Membership Drift
Domain Admins, Enterprise Admins, and Schema Admins should contain a tiny number of accounts. They rarely do. Memberships accumulate over the years through emergencies, project work, and well-meaning helpdesk additions that nobody trims back. Each unnecessary member multiplies the impact of any phishing attack. Prune ruthlessly, audit monthly, and consider tiering models such as Microsoft’s Enterprise Access Model so that day-to-day admin work happens with limited rights.
Practical Hardening Steps
Patch your domain controllers promptly, disable legacy authentication protocols, enforce SMB signing, and turn on advanced auditing for the events that matter. Use a best penetration testing company that knows Active Directory deeply and will demonstrate the actual attack paths rather than reading off a checklist. The findings will not surprise an experienced tester, but they may surprise you, which is exactly the point of running the exercise in the first place.
