TTechniqueActiveDirectory
Enumerating privileged groups is a concrete discovery technique that identifies which accounts have elevated control over an Active Directory environment. This lesson explains what the attacker is looking for, which groups matter and why, what group membership reveals about paths to domain compromise, and how to communicate findings clearly in interviews, reports, and stakeholder conversations.
Privileged group membership is one of the most direct indicators of where power sits in an AD environment. Knowing who belongs to Domain Admins, Enterprise Admins, and other high-value groups is often the difference between aimless enumeration and targeted attack planning. This is also a common interview question: interviewers expect candidates to know which groups matter, why they matter, and how to turn that knowledge into actionable findings rather than just listing group names.
Enumerating privileged group memberships requires an authenticated domain user account at any privilege level. Active Directory stores group membership data in the directory and makes it readable by any authenticated user via LDAP. No elevated privileges are needed to query which users, service accounts, or computer accounts belong to any group in the domain, including the most sensitive administrative groups.
The attacker needs either a domain-joined host or network access to a domain controller with valid credentials.
MITRE · Official MITRE ATT&CK reference for domain group enumeration, including procedure examples and detection guidance
Active Directory stores group membership as attributes on both the group object (the member attribute) and the user object (the memberOf attribute), and these attributes are readable by any authenticated user via LDAP by default. This accessibility exists by design: applications, services, and workstations need to resolve group memberships to enforce access control.
An attacker exploits this same accessibility to enumerate every member of every privileged group in the domain using standard LDAP queries. The directory does not distinguish between a legitimate service resolving group membership and an attacker mapping administrative control.
The attacker gains a precise map of who controls the domain. They learn which user accounts are Domain Admins, which service accounts have been placed in privileged groups (often unnecessarily), whether nested group memberships create indirect paths to administrative access, and how many accounts hold each privilege level.
This information directly shapes every subsequent attack. Kerberoastable service accounts in privileged groups become priority targets. Accounts with weak password hygiene in administrative groups become spray targets, and the total count of privileged accounts reveals whether the environment follows least-privilege principles or has privilege sprawl.
Privileged group enumeration is one of the first discovery steps after gaining any domain user credentials. It sits early in the attack chain because the results inform almost every subsequent technique: which accounts to target with Kerberoasting, which accounts to prioritize for password spraying, which BloodHound paths are worth pursuing, and where lateral movement should aim.
In a realistic engagement, the attacker enumerates privileged groups within minutes of obtaining domain access, long before executing any credential access or privilege escalation technique.
Enumerating privileged groups is one of the first things I do after obtaining domain credentials because it tells me exactly where administrative control sits in the environment and which accounts are worth targeting. Any domain user can query group memberships via LDAP, so I enumerate Domain Admins, Enterprise Admins, Server Operators, Backup Operators, and other high-value groups to build a picture of who controls the domain. I pay close attention to nested memberships, because a user who is a member of a group that is nested into Domain Admins is effectively a Domain Admin even though they do not appear in the direct member list. I also look for service accounts in privileged groups, because those are often Kerberoastable with weak passwords.
The goal is not just to list names — it is to identify which accounts represent the shortest path to domain compromise and which ones are likely to have exploitable weaknesses.
Privileged group enumeration is when an attacker with any employee-level account reads your directory to find out which accounts have administrative control over the entire domain.
The risk is that any compromised account can see this information, and it tells the attacker exactly which accounts to target next. If service accounts or unnecessary users are in administrative groups, the attacker knows those are high-value targets. The fix is reducing the number of accounts in privileged groups to the absolute minimum required, removing service accounts that do not need full administrative access, and monitoring for unauthorized changes to these groups.
Finding: Excessive Privileged Group Membership. During the assessment, the operator enumerated domain group memberships and identified 14 accounts in the Domain Admins group, including three service accounts (svc_sqlprod, svc_backup, svc_monitoring) and two accounts that had not authenticated in over 90 days. The svc_sqlprod service account was subsequently Kerberoasted due to its registered SPN and weak password. Nested group membership analysis revealed an additional six accounts with indirect Domain Admin access through nested group chains.
Severity: High.
Recommendation: Reduce Domain Admins membership to the minimum required accounts. Remove all service accounts from Domain Admins and delegate only the specific permissions they require. Disable or remove stale accounts that have not authenticated recently. Flatten unnecessary group nesting.