Why should I care if Domain Admins have file access?

Domain Admins are the most powerful accounts in your Active Directory environment. While they need administrative access to domain controllers and AD, they typically don't need direct access to file servers: Attack target - Compromised Domain Admin credentials give attackers access to everything Ransomware risk - DA accounts can encrypt your entire environment Compliance requirement - Least privilege is mandated by most frameworks Audit trail - Understanding DA access is essential for security reviews Security Principle: Domain Admins should use separate, non-privileged accounts for day-to-day file access.

Should I remove Domain Admins from all file permissions?

Not necessarily. Some Domain Admin access is legitimate: SYSVOL and NETLOGON - Required for Group Policy and logon scripts Administrative shares - C$, ADMIN$ for remote administration Backup locations - May need access for backup operations However, Domain Admins should NOT have explicit permissions on: User data shares Department folders Application data (unless specifically required) Use the audit results to identify and remove unnecessary DA access, not all access.

What's the difference between Domain Admins and local Administrators?

These are different groups with different scopes: Domain Admins - AD group with admin rights across all domain-joined systems Local Administrators - Machine-specific group with admin rights on that system only Enterprise Admins - Forest-wide admin rights (multi-domain environments) Domain Admins are automatically added to the local Administrators group on domain-joined machines, so they inherit local admin rights everywhere. See our separate guide on Local Administrator Access for auditing local admin permissions.

How do Domain Admins get file permissions they shouldn't have?

Common sources of inappropriate Domain Admin file access: Troubleshooting shortcuts - Admin grants DA access to fix a problem and forgets to remove it Application installers - Some software grants broad permissions during installation Migration artifacts - Permissions carried over from older systems Backup software - May grant DA access to backup folders Misunderstanding - Admins thinking DA access is required when it isn't Regular auditing catches these accumulations before they become security incidents.

What are tiered administration models and how do they relate to this?

Tiered administration (also called the Admin Tiering Model or PAW architecture) separates administrative privileges into tiers: Tier 0 - Domain controllers, AD, PKI - Domain Admin level Tier 1 - Member servers, applications - Server Admin level Tier 2 - Workstations, user devices - Workstation Admin level In this model, Domain Admins (Tier 0) should never access Tier 1 or Tier 2 resources directly. Finding DA permissions on file servers (Tier 1) or user shares (Tier 2) indicates a tiering violation. Microsoft Guidance: Microsoft's Privileged Access Strategy recommends strict separation between tier levels.

Tracking Domain Admin Access Across Your File System

Domain Administrator accounts are the keys to your kingdom. These highly privileged accounts have unrestricted access to Active Directory and, by default, administrative rights on every domain-joined system. Understanding where Domain Admins have file system access is essential for privileged access management, security hardening, and compliance.

This guide explains why tracking Domain Admin file access matters, how to audit it effectively, and the best practices for minimizing privileged account exposure on your file servers.

Why Domain Admin Access Matters

The Risk of Privileged Account Compromise

Domain Admin accounts are the primary target for attackers because compromising one provides:

Complete domain control - Full access to Active Directory
Lateral movement capability - Access to all domain-joined systems
Persistence mechanisms - Ability to create backdoors throughout the environment
Data access - If DA has file permissions, attackers get those too

Attack Scenario: When ransomware operators compromise a Domain Admin account, they can encrypt every file server where that account has write access. Limiting DA file permissions reduces the blast radius of such attacks.

The Principle of Least Privilege

Security best practices and compliance frameworks require that accounts have only the minimum permissions necessary for their function:

Domain Admins should administer AD - Not access user files
File server admins should manage file servers - With separate accounts
Users should access their data - Through appropriate security groups

Finding Domain Admin permissions on file shares often indicates a violation of least privilege.

Compliance Requirements

Multiple frameworks require privileged access controls:

PCI-DSS - Requirement 7: Restrict access on a need-to-know basis
HIPAA - Minimum necessary standard for access to PHI
SOX - Separation of duties and access controls
CIS Controls - Control 5: Account Management, Control 6: Access Control
NIST 800-53 - AC-6: Least Privilege

What Access is Legitimate?

Before auditing, understand what Domain Admin file access is expected:

Expected Domain Admin Access

SYSVOL - Group Policy storage (required)
NETLOGON - Logon scripts (required)
Domain controller local drives - AD database, logs
Administrative shares (C$, ADMIN$) - Remote administration
Backup infrastructure - May require DA for system state backups

Potentially Inappropriate Access

User home directories - No legitimate need
Department shares - Should use department groups
Application folders - Should use service accounts
Public shares - Should use appropriate groups
Any explicit "Domain Admins" ACE - Usually indicates manual misconfiguration

Key distinction: Domain Admins inherently have administrative access through the local Administrators group. Finding explicit Domain Admins permissions in ACLs usually indicates intentional (and often inappropriate) configuration.

Auditing Domain Admin File Access

Permissions Reporter can identify all locations where Domain Admins have been granted explicit file system permissions.

Step 1: Configure Your Scan

Launch Permissions Reporter
Create a new project
Add your file server paths (exclude domain controllers for this audit)
Enable group expansion to resolve nested memberships
Run the scan

Step 2: Apply the Domain Admin Filter

After the scan completes, click the Filter dropdown in the main toolbar
Select Edit Post-Scan Filter to open the filter editor
In the filter editor toolbar, click the Quick button
Select "Permissions allowing domain admin access" from the quick filter menu
Click Apply to filter the results

What the filter finds: This preset identifies permissions where the Domain Admins group (or members of Domain Admins) has been explicitly granted access. It helps you distinguish between inherited administrative access and explicit grants.

Step 3: Analyze the Results

For each result, evaluate whether the access is appropriate:

Check the path - Is this a location where DA access makes sense?
Check the permission level - Full Control vs. Read vs. Modify
Check inheritance - Is this explicitly set or inherited?
Document findings - Note legitimate vs. suspicious access

Step 4: Export and Report

Export findings for review and action:

Click Export to save the filtered results
Use Excel format for analysis and tracking
Share with your security team for review
Create a remediation plan for inappropriate access

Remediation Strategies

Remove Explicit Domain Admin Permissions

For locations where Domain Admins shouldn't have explicit access:

# PowerShell: Remove explicit Domain Admins permissions
$path = "D:\SharedData\Finance"
$acl = Get-Acl $path

# Find Domain Admins rules
$daRules = $acl.Access | Where-Object {
    $_.IdentityReference.Value -like "*Domain Admins*" -and
    -not $_.IsInherited  # Only explicit, not inherited
}

foreach ($rule in $daRules) {
    $acl.RemoveAccessRule($rule)
    Write-Host "Removed: $($rule.IdentityReference) from $path"
}

Set-Acl $path $acl

Best practice: Only remove explicit Domain Admin permissions. Inherited permissions through the local Administrators group are often legitimate for administrative purposes.

Implement Administrative Tiering

Adopt a tiered administration model to properly separate privileges:

Create Tier 1 admin accounts - For server administration (not DA)
Create file server admin groups - Specific to file server management
Use Privileged Access Workstations (PAW) - Dedicated admin machines
Implement Just-In-Time (JIT) access - Temporary privilege elevation

Replace DA with Appropriate Groups

Where administrative access is legitimately needed, use more appropriate groups:

File Server Admins - Custom group for file server management
Backup Operators - For backup-related access
Server Operators - For server management tasks
Application-specific groups - For application requirements

Ongoing Monitoring

Schedule Regular Audits

Set up recurring scans to catch new Domain Admin permissions:

Use Permissions Reporter's scheduler for automated scans
Configure email notifications for report delivery
Run monthly audits at minimum
Use report comparison to identify changes

Domain Admin File Access Audit