Use Dedicated Admin Accounts for Domain Controllers
Ensure domain controllers have unique admin accounts not used elsewhere for better security.
Plain language
This control is about making sure that the people who manage your core computer systems have special accounts they use just for that purpose. This is important because if an intruder manages to get into these accounts, they could control your entire network. Using accounts specifically for these tasks helps limit the damage if one account is compromised.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Microsoft AD DS domain controllers are administered using dedicated domain administrator user accounts that are not used to administer other systems.
Why it matters
If domain controllers are administered with non-dedicated accounts, compromise of that account can lead to Domain Admin control and full Active Directory takeover.
Operational notes
Audit Domain Admin and DC logons to confirm dedicated admin accounts are used only for AD DS/domain controller administration, not email or daily user activity.
Implementation tips
- The IT team should create separate admin accounts specifically for domain controllers. Ensure these accounts are not used for other systems or general administrative tasks by setting them up to only access domain controller functions.
- IT administrators should use these dedicated admin accounts exclusively for managing the domain controllers. They can do this by logging into these accounts only when they need to perform tasks specifically on domain controllers.
- System owners and IT managers should make it a policy that every IT admin has two accounts: a regular one for daily use and a dedicated one for managing domain controllers. Communicate this policy clearly and ensure that everyone understands the importance of using the right account for the right task.
- To further secure the dedicated admin accounts, the IT team should enable strong passwords and change them regularly. Use password management tools to help IT staff maintain complex passwords without hassle.
- IT security officers should routinely review and monitor the usage of these dedicated admin accounts. This can be done by checking logs for any irregular access patterns or unusual login attempts, ensuring that these accounts are only used as intended.
Audit / evidence tips
-
Askthe policy document that outlines the use of dedicated admin accounts for domain controllers
Goodhas clear instructions, responsibilities, and justifications documented
-
Goodshows consistent, regular access in line with typical admin work patterns
-
Aska list of all user accounts with admin access to domain controllers
Goodshows a short list of accounts used only for this purpose
-
Goodshows robust, well-documented password policies tailored for high-security requirements
-
Aska recent audit report on domain controller access, if available
Goodshows compliance with the control and any actions taken to address deviations
Cross-framework mappings
How ISM-1827 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed, including controlling the allocation and use of administrativ... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML1.2 | E8-RA-ML1.2 requires privileged users to use dedicated privileged accounts solely for admin tasks | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML1.7 | ISM-1827 requires dedicated domain administrator accounts for administering AD DS domain controllers, separated from accounts used to adm... | |
| handshake Supports (2) expand_less | ||
| E8-RA-ML2.4 | ISM-1827 requires dedicated domain administrator accounts to administer AD DS domain controllers and prohibits using those accounts to ad... | |
| E8-RA-ML3.2 | ISM-1827 requires domain controllers to be administered using dedicated domain administrator accounts that are not reused for other admin... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.