Restrict Domain Computers from Privileged Groups
Ensure that Domain Computers aren't part of privileged security groups for better security.
Plain language
This control is about making sure that 'Domain Computers', which are computers recognised in the network directory, aren't added to groups with extra control or power. It's like making sure a regular employee doesn't have the keys to the CEO's office—they shouldn’t have that level of access, and if they do, it could lead to significant security problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
The Domain Computers security group is not a member of any privileged or highly-privileged security groups.
Why it matters
If Domain Computers is added to privileged groups, any compromised machine account can be abused to gain domain admin-level control, enabling widespread data breach and outage.
Operational notes
Regularly review AD group nesting and memberships so Domain Computers is never in privileged groups (e.g. Domain Admins/Administrators), and alert on any changes.
Implementation tips
- IT Team should review the network's security group memberships. They can do this by accessing the organisation's Active Directory system and checking the list of security groups, ensuring 'Domain Computers' aren't members of any privileged groups.
- System Owners should regularly update and verify security policies related to group memberships. They should hold meetings quarterly to discuss any changes in group memberships and update protocols if needed, ensuring policies still align with the organisation's goals.
- Managers need to clearly document who is responsible for managing security groups. They should identify and assign this role to a specific team, noting it in their roles and responsibilities document to maintain accountability.
- The HR department should ensure new IT staff know not to add 'Domain Computers' to privileged groups. This can be done by including this directive in the introductory training for IT staff, emphasising security best practices from day one.
- IT Auditors should periodically review group memberships. They should use scripts or tools to generate reports of current security group membership details and verify against a baseline expected list to ensure compliance.
Audit / evidence tips
-
Aska report of current security group memberships: Request a report from the Active Directory listing which computers belong to which security groups
Goodshows no domain computers in groups with administrative rights
-
Askthe organisation's security policy document: Request the policy document that outlines the rules for security groups
Goodincludes clear directives and is regularly updated
-
Asktraining records for IT staff: Request documentation or records showing that IT staff have been trained on group membership policies
Goodshows all relevant staff trained within the past year
-
Askto see recent minutes from security review meetings: Request meeting notes or minutes where group memberships were reviewed
Goodincludes detailed discussion and action points with responsible names listed
-
Askcompliance check logs or audit reports: Request logs or reports from tools that were used to check compliance with this control
Gooddemonstrates regular checks with no outstanding issues
Cross-framework mappings
How ISM-1942 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.2 | ISM-1942 requires that the Active Directory **Domain Computers** group is not a member of any privileged or highly-privileged security gr... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.