Security assessment: Remove non-admin accounts with DCSync permissions

This article describes the Remove non-admin accounts with DCSync permissions security assessment, which identifies risky DCSync permission settings.

Why might the DCSync permission be a risk?

Accounts with the DCSync permission can initiate domain replication. Attackers can potentially exploit domain replication to gain unauthorized access, manipulate domain data, or compromise the integrity and availability of your Active Directory environment.

It's crucial to carefully manage and restrict the membership of this group to ensure the security and integrity of your domain replication process.

How do I use this security assessment to improve my organizational security posture?

1. Review the recommended action at https://security.microsoft.com/securescore?viewid=actions for Remove non-admin accounts with DCSync permissions.

   For example:

   

2. Review this list of exposed entities to discover which of your accounts have DCSync permissions and are also nondomain admins.

3. Take appropriate action on those entities by removing their privileged access rights.

To achieve the maximum score, remediate all exposed entities.

Note

While assessments are updated in near real time, scores and statuses are updated every 24 hours. While the list of impacted entities is updated within a few minutes of your implementing the recommendations, the status may still take time until it's marked as Completed.

The reports show the affected entities from the last 30 days. After that time, entities no longer affected will be removed from the exposed entities list.

Next steps

• Learn more about Microsoft Secure Score
• Check out the Defender for Identity forum!