Skip to content
Control Stack logo Control Stack
ISM-1940 ASD Information Security Manual (ISM)

Restrict Service Accounts from Privileged AD Groups

Ensure service accounts are not part of high-level admin groups in Active Directory.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGovernancePrivileged accessIdentity & access management

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Aug 2024

✏️ Control Stack last updated

22 Feb 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Server application hardening

Topic

Microsoft Active Directory Domain Services Security Group Memberships
Official control statement
Service accounts are not members of the Domain Admins, Enterprise Admins or other highly-privileged security groups.

Source: ASD Information Security Manual (ISM)

Plain language

This control ensures that service accounts, which are special types of user accounts used by software programs to interact with your systems, do not have the same high-level privileges as human administrators in your network. By doing this, you reduce the risk of these accounts being misused or abused by attackers to gain control of your computer systems.

Why it matters

If service accounts are placed in Domain/Enterprise Admins or similar groups, compromise of the account can lead to full domain takeover and major outages.

Operational notes

Periodically audit AD group memberships for service accounts; alert on additions to Domain Admins, Enterprise Admins, or other privileged groups.

Implementation tips

  • The IT team should review all existing service accounts to identify which ones have been added to high-level admin groups. Use the directory management tools to list these accounts and check their group memberships.
  • The IT manager should create a policy that clearly defines that service accounts should not be part of privileged admin groups. This policy should be communicated to everyone involved in managing accounts and systems.
  • HR should work with IT to ensure all new software purchases or deployments include a requirement that service accounts created by the software do not require high privileges. This can be done by including it in the procurement and deployment checklist.
  • The IT security officer should regularly monitor the Active Directory to ensure no service accounts are members of privileged admin groups. Use auditing tools that provide alerts if a service account is improperly added to these groups.
  • Business department heads should schedule quarterly reviews with the IT team to understand which service accounts are necessary for their operations and ensure none have unnecessary high-level access.

Audit / evidence tips

  • Ask: the list of service accounts and their group memberships: Request a report from the IT team detailing every service account and what groups they belong to

    Good: is a report showing service accounts only in non-privileged groups

  • Ask: the service account policy document: Request to see the policy that states service accounts should not have high-level privileges

  • Ask: logs of recent service account activity: Request logs or reports tracking any changes in service account permissions

    Good: log will show no such changes or attempts

  • Ask: the monitoring tool setup or configuration: Request a demonstration of the tool used for monitoring changes to service accounts

    Good: setup includes real-time alerts with clear criteria

  • Ask: the records of quarterly reviews: Request records of past quarterly reviews concerning service accounts access

    Good: includes detailed records of these meetings and decisions

Cross-framework mappings

How ISM-1940 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 5.18 ISM-1940 requires that service accounts are not members of Domain Admins, Enterprise Admins, or other highly privileged AD security groups
Annex A 8.2 ISM-1940 requires that service accounts are not members of highly privileged Active Directory groups (e.g., Domain Admins/Enterprise Admins)

E8

Control Notes Details
Partially overlaps (1)
E8-RA-ML2.2 ISM-1940 requires service accounts to be excluded from highly privileged AD groups such as Domain Admins and Enterprise Admins

Mapping detail

Mapping

Direction

Controls