Weekly Audit of sIDHistory in User Accounts
Check user accounts weekly to ensure they don't have the sIDHistory attribute.
Plain language
This control is about regularly checking that the sIDHistory attribute is not present in user accounts within a Microsoft Active Directory. Ignoring this could allow unauthorised access or attacks that take advantage of old, previously removed permissions, putting your sensitive data at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
User accounts are checked at least weekly for the presence of the sIDHistory attribute.
Why it matters
If sIDHistory is not audited weekly, legacy SIDs can remain on accounts and be used to inherit old permissions, enabling unauthorised access and data compromise.
Operational notes
Run a weekly query/report for non-empty sIDHistory on all user accounts, investigate any entries, and record results and remediation actions in your audit log.
Implementation tips
- The IT team should schedule a weekly task to review user accounts. They can do this by setting a calendar reminder to run a script that checks for the sIDHistory attribute on Active Directory accounts.
- System administrators should use tools or scripts that are designed to identify the sIDHistory attribute. They can often find these tools in security management software that they already use, like those recommended by the Australian Cyber Security Centre.
- HR should coordinate with the IT team during employee offboarding. This ensures that when someone leaves, their access is removed promptly, reducing the chance that sIDHistory can be misused.
- IT Security Managers should document a procedure for dealing with accounts that still have the sIDHistory attribute. This might involve immediate removal of the attribute and a review of any potential security issues caused.
- Executives should ensure resources are allocated for regular training on this process. This could mean budget for IT staff to stay up-to-date with Microsoft Active Directory best practices recommended by the Australian Signals Directorate.
Audit / evidence tips
- AskThe most recent sIDHistory check report: This report should show when the last check was performed and the results GoodA regular log with no or very few accounts showing residual sIDHistory attributes
- AskA list of all scripts or tools used GoodCertified or well-documented scripts from reliable vendors
- AskThe IT team's task schedule GoodA recurring entry with more than two past completions
- AskIncident response procedures related to sIDHistory GoodA clear, written procedure authorised by management
- AskTraining logs or certificates GoodEvidence of recent, regular training sessions attended by relevant staff members
Cross-framework mappings
How ISM-1937 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.15 | ISM-1937 requires organisations to check Active Directory user accounts at least weekly for the presence of the sIDHistory attribute, whi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.