Skip to content
arrow_back
ISM-1934
search
ISM-1934 policy ASD Information Security Manual (ISM)

Annual Review of DCSync Permissions

Review DCSync user permissions yearly and remove them if no longer needed.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardeningaccess rights
record_voice_over

Plain language

In simple terms, this control is about regularly checking who has the ability to make secretive changes to your organisation's directory of users, like resetting passwords or accessing confidential information. This is important because if someone with these powers no longer needs them, they could accidentally or maliciously cause a data breach or disrupt your operations.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Domain Services Account Hardening

Official control statement

User accounts with DCSync permissions are reviewed at least annually, and those without an ongoing requirement for the permissions have them removed.
policy ASD Information Security Manual (ISM) ISM-1934
priority_high

Why it matters

Failure to review DCSync permissions annually may allow unauthorised data access, risking severe breaches and operational disruptions.

settings

Operational notes

Schedule annual audits of DCSync roles and document findings to ensure any unnecessary permissions are swiftly revoked.

build

Implementation tips

  • IT managers should identify all users currently holding DCSync permissions. They can do this by running a report in the Active Directory user management system and creating a list of these users.
  • System administrators need to schedule a yearly review of these permissions. They can organise a reminder in their calendar and allocate a specific time to go through the permissions list.
  • The security team should meet with department heads to validate whether each user's permissions are still necessary. For each user, they should discuss if their role requires such access and document the conclusion.
  • IT support staff must remove DCSync permissions for users who no longer need them. They can accomplish this using the Active Directory management tools to adjust the permissions.
  • Managers should document the review process and outcomes. Keep records of who was reviewed, what decisions were made, and any changes to permissions using a simple spreadsheet or document.
fact_check

Audit / evidence tips

  • AskThe latest DCSync permissions review report GoodReport will show only users whose roles justify access with reasons listed
  • AskA dated schedule of the permission reviews. Check the frequency and the last two review dates. A strong process will show consistent scheduling, ideally no more than a year apart, following the Australian Cyber Security Centre's guidelines
link

Cross-framework mappings

How ISM-1934 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
layers Partially meets (2) expand_less
Annex A 5.18 ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed where there is no ongoing need
Annex A 8.2 ISM-1934 requires periodic (at least annual) review of DCSync permissions and removal if there is no ongoing requirement

E8

Control Notes Details
layers Partially meets (1) expand_less
E8-RA-ML3.1 ISM-1934 requires user accounts with DCSync permissions to be reviewed at least annually and removed if not required

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls