Limit Domain and Enterprise Admin Group Memberships
Reduce the number of users in highly privileged groups for better security.
Plain language
This control is about making sure only a small number of people have access to the most powerful and sensitive parts of your computer network. If too many people are in these special groups, it increases the risk of someone accidentally or intentionally causing harm to your system, which could lead to loss of important data or system downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The number of user accounts that are members of the Domain Admins, Enterprise Admins or other highly-privileged security groups is minimised.
Why it matters
Excessive membership of Domain/Enterprise Admin groups increases risk of full domain compromise, data breaches, and major service disruption if an account is misused or stolen.
Operational notes
Audit Domain Admins/Enterprise Admins regularly, remove non-essential accounts, and use time-bound elevation (e.g. PAM) so standing privileged group membership is minimised.
Implementation tips
- IT manager should review current membership of Domain and Enterprise Admins groups. Start by generating a list of users in these groups and check if each person really needs this level of access for their job.
- System administrator should regularly update the access list. Set a schedule, perhaps monthly, to review and adjust memberships, removing users who no longer need access.
- HR and IT should collaborate when an employee leaves the organisation. Ensure that the employee's access to these high-level groups is immediately revoked as part of the departure process.
- Business owners should periodically meet with IT to discuss admin access needs. Determine if the current setup aligns with business needs and adjusts as necessary to ensure only essential personnel maintain high-level access.
- IT support should educate staff about the importance of restricting access. Hold a short training session to explain why limiting memberships in these groups is crucial to maintaining security.
Audit / evidence tips
-
Askthe membership list of Domain and Enterprise Admins
-
Askto see records of access removal for departing employees. Check that these actions align with HR departure schedules. Good means access is revoked promptly and documented clearly
-
Askminutes of meetings between IT and business owners about admin access
Cross-framework mappings
How ISM-1939 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| Annex A 8.2 | Annex A 8.2 requires privileged access rights to be restricted and managed, including limiting who holds highly privileged permissions | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| handshake Supports (5) expand_less | ||
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.