Your Active Directory is the backbone of your identity estate. It is also where attackers spend most of their time. IdentityFirst reads your AD environment and surfaces every risk — in 24 hours, without touching production.
Active Directory is present in the infrastructure of over 90% of enterprises worldwide — and it is the starting point for the majority of sophisticated attacks.
Kerberoasting, Pass-the-Hash, DCSync, Golden Ticket, and Silver Ticket attacks all begin in Active Directory. They succeed not because attackers find zero-day vulnerabilities, but because they find misconfigurations that have existed for years — service accounts registered with RC4-HMAC encryption and passwords that were last changed when Windows XP was current, accounts with unconstrained delegation still set from a 2014 infrastructure project, Domain Admins who accumulated membership through team changes and were never deprivileged.
Manual Active Directory reviews — typically performed by consultants running PowerShell scripts against a sample of the directory — take weeks and only surface what the assessor knows to look for. They miss service accounts in rarely-reviewed OUs, delegation configurations set by long-departed administrators, and accounts whose last logon date predates the GDPR.
IdentityFirst performs a complete enumeration of your Active Directory environment — every user, every group, every computer object, every SPN, every delegation setting, every GPO — and applies a structured risk model to every object. Nothing is sampled. Nothing is missed because the assessor did not think to look there.
IdentityFirst structures its Active Directory assessment across six risk categories — each mapped to specific attack techniques and compliance controls.
PasswordNeverExpires flag set — especially privileged accountsDontRequirePreauth flag — hash obtainable without credentialsmsDS-AllowedToActOnBehalfOfOtherIdentity attributesThese are representative examples of findings from real Active Directory environments — the kind of risk that exists in most organisations and is invisible to manual review.
RC4-HMAC encryption. Password age: 847 days. SPN: MSSQLSvc/charlesriver-db01.corp:1433. This account's TGS ticket can be extracted from any domain-joined workstation and cracked offline without triggering any domain event.
Blast Radius: High — svc_charlesriver_ims has local admin on 14 SQL servers.
m.blackwood last logon: 91 days ago. Account enabled. Member of: Senior Analysts, Finance-Reporting-RW, VPN-Users. HR system shows departure date 94 days prior. No leaver process triggered in Active Directory.
Blast Radius: Medium — access to finance reporting SharePoint and VPN.
FILESERVER02, LEGACYAPP-SRV, svc_print_mgmt, and svc_backup_exec all hold unconstrained delegation. Any user authenticating to these systems will have their TGT cached on the host — extractable via DCSync if the host is compromised.
Blast Radius: Critical — unconstrained delegation provides a path to Domain Admin.
312 user accounts have not logged on in over 90 days but remain enabled and retain active group memberships. 17 of these accounts are members of at least one security group granting access to file shares or business applications.
Blast Radius: Medium-High — any of these accounts could be credential-stuffed.
The Default Domain Policy enforces a minimum password length of 7 characters — well below NCSC guidance (minimum 12 for standard accounts, 15 for privileged accounts). No Fine-Grained Password Policy is applied to privileged groups.
Compliance Gap: NIS2 Article 21, Cyber Essentials Plus, NCSC Password Guidance.
A structured, five-stage pipeline — from read-only LDAP bind to board-ready report — completed within 24 hours.
IdentityFirst binds to your domain controller using a read-only service account. No Domain Admin rights required. LDAPS or Kerberos encryption enforced.
All users, groups, computers, GPOs, and SPNs enumerated in full. No sampling. PasswordNeverExpires, DontRequirePreauth, delegation attributes, AdminCount, and last logon timestamps all captured.
AD findings correlated with Okta and Entra ID where connected — surfacing federation gaps, MFA exemptions, and accounts that exist in AD but are not governed by your cloud IDP.
Every privileged finding is scored by blast radius — how many downstream systems, identities, and data assets are reachable from the compromised account. Tier-0/1/2 privilege weighting applied.
Board-ready PDF with ranked findings, blast radius analysis, compliance mapping, and step-by-step remediation playbooks — delivered within 24 hours of scan completion.
Straight answers to the questions we hear most often about AD security audits.
IdentityFirst completes a full Active Directory security audit in 24 hours from connector setup. The IdentityMRI™ scan enumerates all users, groups, computers, GPOs, and SPNs in your domain, applies 40+ risk checks, and produces a prioritised findings report with blast radius analysis — all without touching production.
Connector setup typically takes less than an hour: we require a read-only domain service account and LDAP access to your domain controller. No agents, no infrastructure changes.
No. IdentityFirst requires only a read-only domain user account with permissions to perform LDAP queries — specifically the ability to read user, group, computer, and GPO objects. No Domain Admin rights are required. During scoping we specify the exact minimum permissions needed, and you can verify them before providing anything.
A penetration test attempts to exploit vulnerabilities to demonstrate impact — it samples your environment and follows attack paths where they lead. An Active Directory security audit enumerates and assesses the configuration of your entire AD environment — finding every Kerberoastable account, every delegation scope, every stale privileged account — without attempting to exploit them.
An audit gives you the complete picture; a penetration test samples it and demonstrates a subset. Most organisations run an audit first to scope and prioritise, then commission a targeted penetration test against the highest-risk findings.
IdentityFirst supports Active Directory Domain Services on Windows Server 2012 R2 and later, including Windows Server 2016, 2019, and 2022. It also supports hybrid environments where on-premises AD is synchronised with Entra ID (Azure AD), and can correlate AD findings with Okta and other federation providers to surface cross-platform identity gaps.
A full Active Directory security audit should be run at least annually, and after any significant change event: merger or acquisition, major infrastructure project, leadership change, or a security incident.
IdentityFirst runs continuously as standard — detecting new privileged accounts, delegation changes, Kerberoastable SPN additions, and newly stale accounts within hours of the change occurring, not at the next annual review. Continuous monitoring replaces the point-in-time audit model entirely.
Explore a real IdentityMRI Active Directory audit report, or book a live session to see how IdentityFirst maps your own AD environment — in 24 hours, read-only.
Read-only • No agents • Results in 24 hours • UK-hosted & ICO registered