Restrict Pre-Windows 2000 Access Group Membership
Ensure no user accounts are added to the obsolete security group for better system security.
Plain language
This control is about ensuring that outdated security rules aren't used in your computer systems. If you leave these outdated rules in place, it could make it easier for someone to get unauthorised access to sensitive information or parts of your computer network. This could put your organisation's data and operations at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The Pre-Windows 2000 Compatible Access security group does not contain user accounts.
Why it matters
Leaving users in the Pre-Windows 2000 Compatible Access group can allow broad legacy read access, increasing risk of unauthorised data exposure.
Operational notes
Periodically query Active Directory for members of the Pre-Windows 2000 Compatible Access group and remove any user accounts so the group remains empty.
Implementation tips
- IT Manager should work with the IT team to review current user account group memberships. Gather a list of all user accounts associated with the security groups in your Active Directory system, focusing on the 'Pre-Windows 2000 Compatible Access' group.
- System Administrator should remove any user accounts from the outdated security group. In Active Directory, locate the 'Pre-Windows 2000 Compatible Access' group and ensure it is empty. If user accounts are present, remove them to improve security.
- IT Security Officer should conduct a regular audit to ensure compliance. Use directory management tools to double-check that no user accounts have been added to the group mistakenly over time.
- HR team should coordinate with IT when new employees are onboarded or offboarded. Ensure that group memberships are correctly assigned and reviewed during these transitions to prevent unnecessary access.
- IT Support Staff should train users on the importance of avoiding legacy systems and security configurations. Conduct informational sessions explaining why certain security practices are outdated and how they impact security.
Audit / evidence tips
-
Askthe directory group membership report: Request a report showing all memberships of the 'Pre-Windows 2000 Compatible Access' security group
-
Goodthe group should be empty, indicating compliance with the control
-
Askthe security review records: Request records of any reviews or audits conducted on Active Directory group memberships
-
Goodreview will be recent and indicate corrections were made where necessary
-
Asktraining materials provided to IT staff about managing Active Directory groups
-
Goodmaterials detail removing accounts from this group as a best practice
Cross-framework mappings
How ISM-1846 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (3) expand_less | ||
| Annex A 5.18 | ISM-1846 requires organisations to ensure the **Pre-Windows 2000 Compatible Access** group does not include user accounts, effectively en... | |
| Annex A 8.2 | ISM-1846 requires that the **Pre-Windows 2000 Compatible Access** group has no user accounts, removing an obsolete mechanism that can gra... | |
| Annex A 8.3 | ISM-1846 requires removal/prevention of user accounts in the **Pre-Windows 2000 Compatible Access** group to restrict unintended access a... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML1.2 | ISM-1846 requires that the legacy **Pre-Windows 2000 Compatible Access** group contains no user accounts to avoid unintended broad read a... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.