Restrict Delegation of Privileged Active Directory Accounts
Ensure privileged accounts are marked as sensitive and cannot be delegated to maintain security.
Plain language
This control is about making sure that certain high-level accounts in your system, like those with the power to make big changes, can't have their access easily transferred to others. This matters because if someone maliciously gets control of one of these accounts, they could cause serious harm to your business, like stealing sensitive data or bringing your systems down.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Privileged user accounts are configured as sensitive and cannot be delegated.
Why it matters
Without this control, attackers could abuse delegation to compromise critical Active Directory accounts, leading to data breaches or system takedowns.
Operational notes
Regularly audit privileged AD accounts to confirm “Account is sensitive and cannot be delegated” remains enabled, and alert on any changes to this setting.
Implementation tips
- IT teams should mark privileged accounts as sensitive in the Active Directory system. You can do this by accessing the properties of each account and ticking the option that labels it as sensitive. This setting prevents other accounts from gaining the same privileges by delegation.
- System administrators should review all accounts with high privileges regularly. Go through the list of accounts with the ability to change significant settings or access sensitive data, and confirm that they are marked as sensitive. This helps ensure no account is overlooked.
- Managers should set up a policy review to ensure delegation settings are accurate. Work with IT to create a checklist of accounts that should never be delegated, update policies to reflect this, and communicate the importance to all relevant staff.
- Human Resources should coordinate with IT to review account privileges when employees move roles or leave. Ensure that any changes are reflected immediately in the system to prevent unnecessary or incorrect delegation of power.
- Security officers should organise training sessions for staff to understand the importance of protecting privileged accounts. Use simple scenarios to explain the risks of mishandling these accounts, and offer practical guidance on maintaining vigilance.
Audit / evidence tips
-
Askthe list of privileged accounts marked as sensitive: Request documentation from the IT department showing which accounts have the sensitive setting activated
Goodincludes a dated record of all such accounts with verification steps
-
Askto see the policy document on account privileges: Request the official policy that outlines how privileged accounts should be handled
Goodis a policy document with specific guidelines on handling and updating account settings
-
Aska recent review report of privileged accounts: Check if there is a report documenting a review of these account settings
Goodincludes a recent report with any adjustments made and the rationales
-
Askabout training materials provided for staff: Request any presentations or documents used in training sessions about account sensitivity and delegation
Goodincludes comprehensive material with structured learning outcomes
-
Askto see an example of a response to a role change: Request documentation showing how a role or staff change was managed in terms of account settings
Goodprovides clear timelines and actions taken by IT and HR teams
Cross-framework mappings
How ISM-1835 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1835 requires privileged Active Directory (AD) accounts to be configured as sensitive so they cannot be delegated, reducing the risk ... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.3 | Annex A 5.3 requires segregation of conflicting duties so that powerful capabilities are not concentrated in a way that allows self-autho... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML3.3 | E8-RA-ML3.3 requires JIT administration so privileged access is only active for short periods when administering systems and applications | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.