Domain Users replication rights

Janus Bariñan 1,126 Reputation points


We just found out our Domain Users security group has the following rights:

Replicate Directory Changes, Replicate Directory Changes All and Replicate Directory Changes In Filtered Set

I read about DCSync attacks. Is it safe to remove these permissions from Domain Users and other users that have these permissions that are not part of domain admins?


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,797 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 705 Reputation points Microsoft Vendor

    Hello Janus Bariñan,

    Given that you discovered that the Domain Users security group was granted Replicate the Directory Changes, Replicate Directory Changes All, and Replicate Directory Changes in Filtered Set permissions, this clearly poses a potential security risk. For non-administrator users and non-essential service accounts, from a security perspective, these permissions should be deleted to reduce the possibility of DCSync attacks.

    Best Regards,

    Yanhong Liu


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments