We help IT Professionals succeed at work.

Inventory of Administrative Accounts and Use Unique Passwords

One of the CIS Top 20 controls suggests maintaining an 'Inventory of Administrative Accounts'. Does Active Directory not do this for you though to an extent with the default admin group members such as domain admins which you could query at any point in time?


How do you collect the data to populate such an inventory and what specific groups memberships go into it? In what format do you maintain the inventory and is it dynamically populated or a manual process to keep it up to date? What level do you go down to, e.g. domain, OS, applications/database, applications etc? I appreciate in theory every device/server/database/mailbox could have a differing set of administrators although in practice there would be a lot of commonality across the environment.

Another it suggests in the CIS Top 20 is 'Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.'. In your experience of doing pen tests/vulnerability assessments, is there any common types of accounts that are common across systems joined to the network that may use the same passwords? I know how such tests take place but having some clue on where passwords are often replicated across systems would be interesting.
Watch Question

Exec Consultant
Distinguished Expert 2019
1. The inventory is more to say track changes to the new or removal of administrator accounts in all your client, server systems. There would be domain account in AD which is good as you centralised it but there are local ones and other AD that is another forest which you probably not know. Ideally there is one AD but fact is MNC that is global has more AD forest. So it is good to identify all the identity stores. CSV is good for very small company with 2-5 system, otherwise AD or LDAP based store will be preferred.

Free Tools
  • Netwrix - AD Change Reporter Free, One of the most simple setups I have ever performed. But, you MUST read the user guide that comes with the download file. There are some pre-requisites that must be met.
  • Scripted - Alternative to using 3rd party software. Easy to follow guide.
  • GPO - Only enables logging, you still need to alert
Commercial Tools
  • ADAuditPlus - ManageEngines real time monitor and alerting tool


2. Besides those in the Domain Admin group, I rather focus on hidden admin accounts. These hidden administrator accounts are often service or maintenance accounts that perform automated, routine tasks in the environment. In addition, hidden administrator accounts often have access to multiple systems in the environment.

Of concern is that these accounts don’t typically receive the same attention regarding configuration review or password management and monitoring as administrative accounts belonging to human users. As a result, they present an attractive target for adversaries, who leverage these service accounts for both lateral movement and gaining access to multiple systems.

Each domain contained its own domain accounts and was managed by separate IT staff. Once we fully compromised one domain, we began looking for misconfigured  domain trusts and instances of service accounts used in both domains. We discovered a service account that was being used for network performance monitoring, which had local administrator access to multiple systems. This account was used in both domains and had the same password in each one — a configuration that made it easy for our red team to jump from one domain to another.

Check out the post