Restrict Domain Computers Group in Active Directory
Prevent Domain Computers from changing anything in Active Directory for security.
Plain language
This control ensures that regular computers in a network domain can't make changes to the overall directory, which is like the network's map or blueprint. It's important because if any computer could alter this map, chaos could ensue, potentially leading to data loss, breaches, or unplanned outages.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The Domain Computers security group does not have write or modify permissions to any Microsoft Active Directory objects.
Why it matters
If Domain Computers can write to AD objects, compromised PCs can alter directory settings, disrupt authentication, and enable persistence or privilege escalation.
Operational notes
Review AD ACLs to ensure Domain Computers has no write/modify rights on objects; alert on any changes and remediate by removing inherited or delegated permissions.
Implementation tips
- The IT team should review the permissions granted to the Domain Computers group. They can do this by accessing the directory's access control settings and ensuring that write and modify permissions are not granted to this group.
- The IT manager should ensure a policy is in place to prevent unauthorised changes to Active Directory by domain computers. This can be done by regularly checking existing policies and updating them to match best practices outlined by the Australian Cyber Security Centre.
- System administrators should use a tool like Active Directory Users and Computers to periodically audit permissions on sensitive objects. This involves running a check on permissions to verify that domain computers have no more access rights than necessary.
- IT security staff should set up alerts to notify them if any changes are attempted by domain computers. This could involve configuring monitoring systems to detect and report unauthorized actions logged in Active Directory.
- The compliance officer should conduct quarterly reviews to ensure this control is applied correctly. Engaging with IT staff to confirm that procedures are followed and documented helps maintain compliance with the control.
Audit / evidence tips
-
Askthe permissions report for Domain Computers: Request a detailed document showing current permissions for the Domain Computers group in Active Directory
Goodis a report confirming that these permissions do not exist
-
Askrecords of recent permissions audits: Request documentation of the last few audits conducted on Active Directory permissions
Goodis an audit log detailing dates, findings, and evidence of corrective actions if needed
-
Askto see the directory change alerts setup: Request evidence of alert configurations related to Active Directory changes
Goodis a screenshot or policy showing such alerts configured and operational
-
Aska policy document about Active Directory management: Request the organisation's policy document detailing management and security practices for Active Directory. Look that it includes mention of prohibiting domain computers from altering directory objects
Goodis a policy that explicitly states permissions management practices
-
Asktraining records related to directory management: Request evidence showing IT staff are trained regarding permissions management within Active Directory
Goodis documentation proving ongoing training initiatives in line with best practices
Cross-framework mappings
How ISM-1938 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.1 | ISM-1938 requires that the Active Directory "Domain Computers" group is not granted write or modify permissions to any AD objects, preven... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.