In Active Directory, any non-privileged user who can change a Domain Administrator’s password is themselves a Domain Administrator. Whoever can change that non-privileged user’s password is a Domain Administrator as well. You can see the privilege escalation rabbit hole starting to develop with simple lateral movement and password changes. It is one of many scenarios Innova Solutions has discovered during client Active Directory audits. It underscores a problem IT organizations face, not only who is an administrator of services but who could make themselves an administrator.
On the surface, IT organizations believe they know who has access when they look at their tools in a one-dimensional manner. Having administrative control in Active Directory is not solely based on membership in the Enterprise Admin and Domain Admin groups. There are many ways a non-privileged user can abuse or misuse their access and gain more control up to Domain Administrator. The threat of intentional and accidental privilege escalation is why we must monitor administrator accounts and who can manipulate them with actionable alerts. Typically, Active Directory administrators accomplish this with Windows Event Forwarding or SIEM tools like Splunk and SumoLogic, waiting for specific Event IDs. Depending on the maturity of the process, it may include ticketing and automated remediation.