Ensure Privileged Accounts are Secured in AD
Privileged user accounts must belong to a special security group for extra protection.
Plain language
This control is about making sure people with special access to important parts of your computer system are grouped together for extra security. If you don't do this, these privileged accounts might be easier targets for hackers, which could allow them to access sensitive information and cause serious harm to your business.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Privileged user accounts are members of the Protected Users security group.
Why it matters
If privileged AD accounts are not in Protected Users, credentials can be more easily stolen or reused, enabling elevated access and wider compromise.
Operational notes
Regularly audit Protected Users membership in Active Directory and remove unauthorised accounts; ensure privileged users are added and exceptions are documented.
Implementation tips
- The IT manager should identify who in the organisation requires privileged access to systems. These are usually the administrators who manage major computer systems and networks.
- Once identified, the IT team should create a unique security group called 'Protected Users' in the Active Directory, a tool that helps keep track of who can access what on a network.
- The IT staff should then add all privileged user accounts to this 'Protected Users' group. This can be done easily through the Active Directory management console by selecting user accounts and assigning them to the group.
- Regularly review these privileged accounts: The IT manager should set a calendar reminder to review the membership of this group every three months, ensuring only the right people have access.
- Train all users with privileged accounts: The IT manager should organise training sessions to remind these users about strong password practices and the importance of not sharing their login details.
Audit / evidence tips
- AskThe list of privileged accounts: Request the document or report that lists all the privileged accounts in the 'Protected Users' group
- GoodThe list should only include IT administrators and other essential personnel with clear justifications documented for their access
- AskRecent review records: Request logs or emails that show when the last review of this group was conducted
- GoodReview records should show regular checks, with any changes to the group noted and authorised by IT leadership
Cross-framework mappings
How ISM-1620 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1620 requires a specific mechanism for securing privileged accounts by placing them in the AD Protected Users security group | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML2.2 | ISM-1620 requires privileged user accounts to be placed in the AD Protected Users group to reduce authentication abuse (e.g | |
| E8-RA-ML2.7 | ISM-1620 requires privileged user accounts to be members of the AD Protected Users group to strengthen protection of privileged identities | |
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.2 | E8-RA-ML1.2 requires privileged users to perform admin work using dedicated privileged accounts rather than their standard accounts | |
| E8-MF-ML2.1 | ISM-1620 requires privileged accounts to use the AD Protected Users group, which helps prevent use of weaker authentication methods and r... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.