Skip to content
Control Stack logo Control Stack
ISM-1934 ASD Information Security Manual (ISM)

Annual Review of DCSync Permissions

Review DCSync user permissions yearly and remove them if no longer needed.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernanceAccess controlIdentity & access management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Domain Services Account Hardening
Official control statement
User accounts with DCSync permissions are reviewed at least annually, and those without an ongoing requirement for the permissions have them removed.

Source: ASD Information Security Manual (ISM)

Plain language

In simple terms, this control is about regularly checking who has the ability to make secretive changes to your organisation's directory of users, like resetting passwords or accessing confidential information. This is important because if someone with these powers no longer needs them, they could accidentally or maliciously cause a data breach or disrupt your operations.

Why it matters

Failure to review DCSync permissions annually may allow unauthorised data access, risking severe breaches and operational disruptions.

Operational notes

Schedule annual audits of DCSync roles and document findings to ensure any unnecessary permissions are swiftly revoked.

Implementation tips

  • IT managers should identify all users currently holding DCSync permissions. They can do this by running a report in the Active Directory user management system and creating a list of these users.
  • System administrators need to schedule a yearly review of these permissions. They can organise a reminder in their calendar and allocate a specific time to go through the permissions list.
  • The security team should meet with department heads to validate whether each user's permissions are still necessary. For each user, they should discuss if their role requires such access and document the conclusion.
  • IT support staff must remove DCSync permissions for users who no longer need them. They can accomplish this using the Active Directory management tools to adjust the permissions.
  • Managers should document the review process and outcomes. Keep records of who was reviewed, what decisions were made, and any changes to permissions using a simple spreadsheet or document.

Audit / evidence tips

  • Ask: the latest DCSync permissions review report

    Good: report will show only users whose roles justify access with reasons listed

  • Ask: a dated schedule of the permission reviews. Check the frequency and the last two review dates. A strong process will show consistent scheduling, ideally no more than a year apart, following the Australian Cyber Security Centre's guidelines

Cross-framework mappings

How ISM-1934 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 5.18 ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed where there is no ongoing need
Annex A 8.2 ISM-1934 requires periodic (at least annual) review of DCSync permissions and removal if there is no ongoing requirement

E8

Control Notes Details
Partially meets (1)
E8-RA-ML3.1 ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed if not required

Mapping detail

Mapping

Direction

Controls