Restrict Service Accounts from Privileged AD Groups
Ensure service accounts are not part of high-level admin groups in Active Directory.
Plain language
This control ensures that service accounts, which are special types of user accounts used by software programs to interact with your systems, do not have the same high-level privileges as human administrators in your network. By doing this, you reduce the risk of these accounts being misused or abused by attackers to gain control of your computer systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 May 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Service accounts are not members of the Domain Admins, Enterprise Admins or other highly-privileged security groups.
Why it matters
If service accounts are placed in Domain/Enterprise Admins or similar groups, compromise of the account can lead to full domain takeover and major outages.
Operational notes
Periodically audit AD group memberships for service accounts; alert on additions to Domain Admins, Enterprise Admins, or other privileged groups.
Implementation tips
- The IT team should review all existing service accounts to identify which ones have been added to high-level admin groups. Use the directory management tools to list these accounts and check their group memberships.
- The IT manager should create a policy that clearly defines that service accounts should not be part of privileged admin groups. This policy should be communicated to everyone involved in managing accounts and systems.
- HR should work with IT to ensure all new software purchases or deployments include a requirement that service accounts created by the software do not require high privileges. This can be done by including it in the procurement and deployment checklist.
- The IT security officer should regularly monitor the Active Directory to ensure no service accounts are members of privileged admin groups. Use auditing tools that provide alerts if a service account is improperly added to these groups.
- Business department heads should schedule quarterly reviews with the IT team to understand which service accounts are necessary for their operations and ensure none have unnecessary high-level access.
Audit / evidence tips
- AskThe list of service accounts and their group memberships: Request a report from the IT team detailing every service account and what groups they belong to GoodIs a report showing service accounts only in non-privileged groups
- AskThe service account policy document: Request to see the policy that states service accounts should not have high-level privileges
- AskLogs of recent service account activity: Request logs or reports tracking any changes in service account permissions GoodLog will show no such changes or attempts
- AskThe monitoring tool setup or configuration: Request a demonstration of the tool used for monitoring changes to service accounts GoodSetup includes real-time alerts with clear criteria
- AskThe records of quarterly reviews: Request records of past quarterly reviews concerning service accounts access GoodIncludes detailed records of these meetings and decisions
Cross-framework mappings
How ISM-1940 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.18 | ISM-1940 requires that service accounts are not members of Domain Admins, Enterprise Admins, or other highly privileged AD security groups | |
| Annex A 8.2 | ISM-1940 requires that service accounts are not members of highly privileged Active Directory groups (e.g., Domain Admins/Enterprise Admins) | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.2 | ISM-1940 requires service accounts to be excluded from highly privileged AD groups such as Domain Admins and Enterprise Admins | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.