Annual Review of DCSync Permissions
Review DCSync user permissions yearly and remove them if no longer needed.
Plain language
In simple terms, this control is about regularly checking who has the ability to make secretive changes to your organisation's directory of users, like resetting passwords or accessing confidential information. This is important because if someone with these powers no longer needs them, they could accidentally or maliciously cause a data breach or disrupt your operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
User accounts with DCSync permissions are reviewed at least annually, and those without an ongoing requirement for the permissions have them removed.
Why it matters
Failure to review DCSync permissions annually may allow unauthorised data access, risking severe breaches and operational disruptions.
Operational notes
Schedule annual audits of DCSync roles and document findings to ensure any unnecessary permissions are swiftly revoked.
Implementation tips
- IT managers should identify all users currently holding DCSync permissions. They can do this by running a report in the Active Directory user management system and creating a list of these users.
- System administrators need to schedule a yearly review of these permissions. They can organise a reminder in their calendar and allocate a specific time to go through the permissions list.
- The security team should meet with department heads to validate whether each user's permissions are still necessary. For each user, they should discuss if their role requires such access and document the conclusion.
- IT support staff must remove DCSync permissions for users who no longer need them. They can accomplish this using the Active Directory management tools to adjust the permissions.
- Managers should document the review process and outcomes. Keep records of who was reviewed, what decisions were made, and any changes to permissions using a simple spreadsheet or document.
Audit / evidence tips
-
Askthe latest DCSync permissions review report
Goodreport will show only users whose roles justify access with reasons listed
-
Aska dated schedule of the permission reviews. Check the frequency and the last two review dates. A strong process will show consistent scheduling, ideally no more than a year apart, following the Australian Cyber Security Centre's guidelines
Cross-framework mappings
How ISM-1934 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.18 | ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed where there is no ongoing need | |
| Annex A 8.2 | ISM-1934 requires periodic (at least annual) review of DCSync permissions and removal if there is no ongoing requirement | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.1 | ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed if not required | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.