Skip to content
arrow_back
ISM-1939
search
ISM-1939 policy ASD Information Security Manual (ISM)

Limit Domain and Enterprise Admin Group Memberships

Reduce the number of users in highly privileged groups for better security.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardeningadmin accountsaccess rights
record_voice_over

Plain language

This control is about making sure only a small number of people have access to the most powerful and sensitive parts of your computer network. If too many people are in these special groups, it increases the risk of someone accidentally or intentionally causing harm to your system, which could lead to loss of important data or system downtime.

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Aug 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Domain Services Security Group Memberships

Official control statement

The number of user accounts that are members of the Domain Admins, Enterprise Admins or other highly-privileged security groups is minimised.
policy ASD Information Security Manual (ISM) ISM-1939
priority_high

Why it matters

Excessive membership of Domain/Enterprise Admin groups increases risk of full domain compromise, data breaches, and major service disruption if an account is misused or stolen.

settings

Operational notes

Audit Domain Admins/Enterprise Admins regularly, remove non-essential accounts, and use time-bound elevation (e.g. PAM) so standing privileged group membership is minimised.

build

Implementation tips

  • IT manager should review current membership of Domain and Enterprise Admins groups. Start by generating a list of users in these groups and check if each person really needs this level of access for their job.
  • System administrator should regularly update the access list. Set a schedule, perhaps monthly, to review and adjust memberships, removing users who no longer need access.
  • HR and IT should collaborate when an employee leaves the organisation. Ensure that the employee's access to these high-level groups is immediately revoked as part of the departure process.
  • Business owners should periodically meet with IT to discuss admin access needs. Determine if the current setup aligns with business needs and adjusts as necessary to ensure only essential personnel maintain high-level access.
  • IT support should educate staff about the importance of restricting access. Hold a short training session to explain why limiting memberships in these groups is crucial to maintaining security.
fact_check

Audit / evidence tips

  • AskThe membership list of Domain and Enterprise Admins
  • AskTo see records of access removal for departing employees. Check that these actions align with HR departure schedules. Good means access is revoked promptly and documented clearly
  • AskMinutes of meetings between IT and business owners about admin access
link

Cross-framework mappings

How ISM-1939 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

ISO 27001

Control Notes Details
link Related (1) expand_less
Annex A 8.2 Annex A 8.2 requires privileged access rights to be restricted and managed, including limiting who holds highly privileged permissions

E8

Control Notes Details
layers Partially meets (1) expand_less
handshake Supports (5) expand_less

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

Mapping detail

Mapping

Direction

Controls