Limit Privileges for User Accounts in Active Directory
User accounts are set up with just the access they need, nothing extra.
Plain language
This control is about making sure user accounts in your organisation have just enough permission to do their jobs, nothing more. This matters because if accounts have too much access, a mistake or malicious action could harm sensitive information or cause other serious issues.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
User accounts are provisioned with the minimum privileges required.
Why it matters
If AD user accounts have excessive group memberships or delegated rights, misuse or compromise can enable unauthorised access to sensitive data and systems.
Operational notes
Periodically review AD user group memberships and delegated permissions against role needs; promptly remove elevated or stale access when duties change or staff leave.
Implementation tips
- IT team should conduct a privilege audit: Periodically review who has access to what within your systems. Use a checklist of roles and tasks to ensure no account has unnecessary permissions.
- Managers should define access levels: Work with the IT team to list specific job roles and the minimum access each needs to perform tasks effectively. Ensure this list is kept updated and reflects any role changes.
- HR and IT should collaborate on onboarding: When new staff join, HR should coordinate with IT to assign only necessary access rights based on documented role requirements. Ensure the process is formalised with approval steps.
- IT should implement an access review schedule: Regularly, perhaps quarterly, have the IT team check current user access against outlined role requirements. Adjust privileges for anyone who no longer needs certain levels of access.
- System owner should maintain documentation: Keep a secure and up-to-date record of each account’s access level and any changes made over time. This helps resolve any access disputes and supports auditing processes.
Audit / evidence tips
- AskThe user account access log: Request a report detailing current access levels assigned to each user GoodEach user has a documented access level matching their role
- AskRecords of recent access changes: Request logs or documentation showing who changed access rights and when GoodEach change has a corresponding authorisation record
- AskThe role access definition document: See if there’s a current document outlining access levels for each role GoodA comprehensive list with clear mapping of roles to access requirements
- AskThe schedule of access reviews: Request records showing when and how often access reviews were conducted GoodConsistent reviews with adjustments made promptly when needed
- AskDocumentation of the onboarding process: Request to see how the access set-up process is documented for new users GoodAn onboarding checklist with documented role-based access rights and approval signatures
Cross-framework mappings
How ISM-1833 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.18 | Annex A 5.18 requires access rights to be provisioned and maintained according to business rules and access control policy, which typical... | |
| Annex A 8.3 | ISM-1833 requires Active Directory user accounts to be provisioned with the minimum privileges required | |
| handshake Supports (1) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires segregation of conflicting duties and areas of responsibility to prevent a single individual from misusing access or... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.4 | E8-RA-ML1.4 requires that privileged accounts authorised for online services have only the access required to perform their duties | |
| link Related (1) expand_less | ||
| E8-RA-ML3.1 | ISM-1833 requires Active Directory user accounts to be provisioned with the minimum privileges required | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.