Restrict Pre-Windows 2000 Access Group Membership
Ensure no user accounts are added to the obsolete security group for better system security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2023
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
The Pre-Windows 2000 Compatible Access security group does not contain user accounts.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about ensuring that outdated security rules aren't used in your computer systems. If you leave these outdated rules in place, it could make it easier for someone to get unauthorised access to sensitive information or parts of your computer network. This could put your organisation's data and operations at risk.
Why it matters
Leaving users in the Pre-Windows 2000 Compatible Access group can allow broad legacy read access, increasing risk of unauthorised data exposure.
Operational notes
Periodically query Active Directory for members of the Pre-Windows 2000 Compatible Access group and remove any user accounts so the group remains empty.
Implementation tips
- IT Manager should work with the IT team to review current user account group memberships. Gather a list of all user accounts associated with the security groups in your Active Directory system, focusing on the 'Pre-Windows 2000 Compatible Access' group.
- System Administrator should remove any user accounts from the outdated security group. In Active Directory, locate the 'Pre-Windows 2000 Compatible Access' group and ensure it is empty. If user accounts are present, remove them to improve security.
- IT Security Officer should conduct a regular audit to ensure compliance. Use directory management tools to double-check that no user accounts have been added to the group mistakenly over time.
- HR team should coordinate with IT when new employees are onboarded or offboarded. Ensure that group memberships are correctly assigned and reviewed during these transitions to prevent unnecessary access.
- IT Support Staff should train users on the importance of avoiding legacy systems and security configurations. Conduct informational sessions explaining why certain security practices are outdated and how they impact security.
Audit / evidence tips
-
Ask: the directory group membership report: Request a report showing all memberships of the 'Pre-Windows 2000 Compatible Access' security group
-
Good: the group should be empty, indicating compliance with the control
-
Ask: the security review records: Request records of any reviews or audits conducted on Active Directory group memberships
-
Good: review will be recent and indicate corrections were made where necessary
-
Ask: training materials provided to IT staff about managing Active Directory groups
-
Good: materials detail removing accounts from this group as a best practice
Cross-framework mappings
How ISM-1846 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (3) | ||
| Annex A 5.18 | ISM-1846 requires organisations to ensure the **Pre-Windows 2000 Compatible Access** group does not include user accounts, effectively en... | |
| Annex A 8.2 | ISM-1846 requires that the **Pre-Windows 2000 Compatible Access** group has no user accounts, removing an obsolete mechanism that can gra... | |
| Annex A 8.3 | ISM-1846 requires removal/prevention of user accounts in the **Pre-Windows 2000 Compatible Access** group to restrict unintended access a... | |
E8
| Control | Notes | Details |
|---|---|---|
| Supports (1) | ||
| E8-RA-ML1.2 | ISM-1846 requires that the legacy **Pre-Windows 2000 Compatible Access** group contains no user accounts to avoid unintended broad read a... | |