Enumerating Privileged Groups Brief
What It Is
A concrete discovery technique that identifies which accounts have elevated control over an AD environment by enumerating the membership of privileged groups. Any authenticated domain user can query group memberships via LDAP. The results directly shape Kerberoasting targets, spray priorities, and lateral movement direction.
Preconditions
Any authenticated domain user account. Group membership data is stored in the directory and readable by any user via LDAP by design. No elevated privileges required.
Attacker Gain
A precise map of who controls the domain: which accounts are Domain Admins, which service accounts are in privileged groups (priority Kerberoasting targets), whether nested memberships create indirect paths, and how many accounts hold each privilege level.
Groups That Matter
- Domain Admins — full control over every object in the domain
- Enterprise Admins — control over every domain in the forest (forest root only)
- Server Operators — can log into DCs, manage services
- Backup Operators — can read any file on the DC including NTDS.dit
- Account Operators — can modify non-protected accounts
- DnsAdmins — can load arbitrary DLLs on the DC
Stakeholder Explanation
Any compromised account can see which accounts have administrative control. If service accounts or unnecessary users are in administrative groups, the attacker knows exactly which accounts to target next. Reducing membership to the minimum limits the attack surface.
Common Pitfalls
- Only checking Domain Admins — Server Operators, Backup Operators, Account Operators, and DnsAdmins each grant significant privileges
- Missing nested group memberships — a user in a group nested into Domain Admins is effectively a Domain Admin
- Treating enumeration as a checklist item — the value is in identifying which accounts represent exploitable paths
- Ignoring service accounts in privileged groups — these are often Kerberoastable with weak, static passwords