Restrict Computer Accounts from Privileged Groups
Ensure computer accounts don't have high-level admin privileges within Active Directory.
Plain language
This control is about making sure that the computer accounts in a network don't have too much power. Think of a computer account like a key card. If every computer has a key card for the CEO's office, that's risky. Instead, give them access only to the areas they need. If this isn't done, a compromised computer could act like the CEO's key card, gaining access to sensitive information and potentially causing harm.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Computer accounts are not members of the Domain Admins, Enterprise Admins or other highly-privileged security groups.
Why it matters
If computer accounts join Domain/Enterprise Admins, a compromised host can obtain full domain privileges, enabling broad data access and service disruption.
Operational notes
Audit Domain/Enterprise Admins and similar groups to confirm no computer accounts are members; remove any found and investigate how membership occurred.
Implementation tips
- The IT team should review all computer accounts within the organisation’s network. They can do this by checking the list of all computer accounts in Active Directory, which is a tool used for managing computers and users in a network. They should ensure none of these accounts are in highly privileged groups like Domain Admins.
- System administrators should regularly check who has privileges within Active Directory. They can set up a simple schedule, say once a month, to go through the list and ensure no computer accounts have crept into privileged groups by mistake.
- Managers should instruct IT staff to keep detailed records of each computer account's access level. They should do this by maintaining logs showing which groups each computer account belongs to. This can help quickly identify and rectify any accounts that have excessive privileges.
- The Chief Information Officer (CIO), or equivalent, should implement a policy that restricts computer accounts from ever being added to highly privileged groups. They can document this rule in the organisation's IT policies and ensure everyone in the IT department understands and follows it.
- Training should be conducted by the IT team for all staff to understand the importance of access control. They can hold workshops explaining why it's essential to keep computer accounts out of privileged groups and how it helps protect the organisation from cyber threats.
Audit / evidence tips
- AskA current list of computer accounts in Active Directory GoodIs when no computer accounts are listed under groups like Domain Admins or Enterprise Admins
- GoodIncludes reviews conducted at regular intervals with no instances of computer accounts having excessive privileges
- AskTo see the policy that restricts computer accounts from joining privileged groups GoodPolicy will clearly state that computer accounts should never be in these groups
- GoodDemonstration will show automated alerts or reports that flag when an account is added to a privileged group
- AskRecords of staff training sessions on access control GoodIncludes recent training sessions attended by all relevant IT staff, with materials explaining the policy
Cross-framework mappings
How ISM-1941 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| Annex A 8.15 | ISM-1941 requires preventing computer accounts from being members of highly privileged AD groups (e.g | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.7 | ISM-1941 requires that computer accounts are not placed into highly privileged AD security groups (e.g | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.