We have all been there. You kick off an Active Directory (AD) cleanup project with the best of intentions. You pull a report of the "Domain Admins" group, delete a few stale accounts, and feel like the environment is finally getting more secure. But a month later, you realize the actual risk hasn't budged.
The truth is, standard AD cleanup projects often fail because they focus on the tip of the iceberg. Behind the scenes, "shadow privileges" and complex nesting keep your attack surface wide open. In this post, we breakdown why your AD hygiene efforts might be stalling and how you can shift toward a more effective, automated approach to privileged access discovery.
Intro: The Illusion of a Clean Directory
Cleaning up AD is not just about deleting old users. It is about understanding the paths an attacker could take to reach your most sensitive assets. Most enterprises treat AD hygiene as a box-ticking exercise. We find that without deep visibility, these projects provide a false sense of security while leaving critical "backdoors" open.
Here are 10 reasons your high-privilege AD cleanup isn't working as expected.
1. You Are Only Looking at the "Big Three" Groups
Most cleanup efforts start and end with Domain Admins, Enterprise Admins, and Schema Admins. While these are critical, they are far from the only way to gain high-level control.
Attackers rarely go straight for the "Domain Admin" group membership. Instead, they look for accounts with delegated rights over OUs, GPOs, or computer objects. If an account has the right to reset the password of a Domain Admin, that account is effectively a Domain Admin: even if it isn't in the group. We call these "Shadow Admins," and they are often completely ignored during manual cleanups.
2. The Nightmare of Nested Groups
Nesting is the practice of placing one group inside another. It is great for administration but terrible for visibility.
When you look at a privileged group's member list, you might only see three groups. But if those groups contain five more groups, which in turn contain twenty users, you have a massive visibility gap. Manually untangling these relationships is nearly impossible at scale. Without a tool that can flatten these hierarchies and show the "effective permissions" of every user, your cleanup will always miss hidden members who inherit high privileges through complex nesting.
3. Ignoring ACL-Based Privileges
Access Control Lists (ACLs) are the hidden engine of AD permissions. A user might not be in any "Admin" group, but they could have GenericAll or WriteMember permissions on a sensitive object.
These permissions allow a user to modify who belongs to a group or even take ownership of an object. Traditional reporting tools often fail to scan the underlying ACLs, meaning you are only seeing half the picture. If your cleanup doesn't include a full scan of security descriptors, you aren't actually cleaning up your privileged access.
4. Kerberos Delegation is Still Enabled
Kerberos delegation is a powerful feature that allows a service to impersonate a user. However, unconstrained delegation or poorly configured Resource-Based Constrained Delegation (RBCD) can be exploited to "mint" privileged tickets.
If your cleanup project doesn't audit which accounts are allowed to delegate, you are leaving a massive hole in your IAM governance. Attackers can use these delegation paths to impersonate a Domain Admin and move laterally through your network without ever needing to crack a password.
5. Tier-0 Adjacent Systems are Out of Scope
AD does not exist in a vacuum. It relies on hypervisors, backup systems, ADFS, and Entra Connect (Azure AD Connect).
If someone is an administrator on the hypervisor hosting your Domain Controllers, they are effectively a Domain Admin. If they can access the backup tapes containing your NTDS.dit file, they own your domain. Most AD cleanups stay strictly within the directory, ignoring the "Tier-0" infrastructure that supports it. To fix this, we must expand the scope of discovery to include all systems that can influence AD security.
6. You Are Still Using Spreadsheets
If your "discovery" process involves exporting CSVs and manually color-coding rows in Excel, you have already lost.
AD is dynamic. By the time you finish your spreadsheet, it is already out of date. Manual auditing is prone to human error, fails to capture transitive permissions, and creates "audit fatigue." Automated privileged access discovery is the only way to keep pace with the constant changes in a modern enterprise environment.
7. Non-Human Accounts are Forgotten
Service accounts are the "silent killers" of AD security. They are often created with "Domain Admin" rights because "that's the only way the app works," and then they are never touched again.
Because service accounts don't have a human owner complaining about password resets, they often have passwords that never expire and permissions that are way too broad. A successful cleanup must classify accounts into Human and Non-Human categories and apply strict governance to those service accounts that hold high privileges.
8. Lack of Clear Ownership
Who owns the "Exchange Servers" group? Who authorized the new "DevOps Admin" group?
Without clear ownership and a governance framework, AD becomes a "Wild West" where anyone with enough permission can grant access to others. Cleanup projects often fail because the security team doesn't have the authority or the context to delete an account they don't "own." We need to map every privileged account to a responsible owner to ensure long-term hygiene.
9. Cleanup is Seen as a One-Time Event
Security is a process, not a project. Many organizations run a "big cleanup" once every two years to satisfy an auditor.
As soon as the project ends, "privilege creep" sets in. New accounts are created, temporary access is never revoked, and the environment returns to its original messy state. To fix this, you need continuous monitoring and compliance-ready reporting that alerts you the moment a new, unmanaged privileged account appears.
10. The Fear of Breaking Things
The number one reason administrators don't delete old privileged accounts is fear. They don't know what the account does, and they don't want to be the reason the ERP system goes down at 2:00 PM on a Tuesday.
This fear stems from a lack of data. When you have a platform that performs a full PAM Gap Analysis, you can see exactly which accounts are being used, which are managed by your PAM tool, and which are redundant. Data replaces guesswork, allowing you to clean up with confidence.
Specs: How OrbisID Solves the AD Hygiene Problem
We designed OrbisID specifically to overcome these ten hurdles. Unlike traditional tools that just look at group memberships, our platform provides a comprehensive view of your entire privileged landscape.
- Automated Discovery: We scan Active Directory, Azure AD, Windows, and Linux to find every privileged identity, including the ones hiding in ACLs and nested groups.
- Human & Non-Human Classification: We intelligently categorize accounts so you can apply the right governance rules to the right identities.
- PAM Gap Analysis: We compare your discovered accounts against your existing PAM vault (like CyberArk or Delinea) to show you exactly what is unmanaged.
- Compliance-Ready Reporting: We map your risks directly to frameworks like NIST, ISO 27001, and SOx, making your next audit a breeze.
Conclusion
A successful AD cleanup requires more than just deleting a few users. It requires a shift from manual, point-in-time audits to automated, continuous governance. By addressing shadow privileges, nesting, and unmanaged service accounts, you can finally close the gap between your perceived security and your actual risk.
Ready to see what's actually lurking in your Active Directory? Download OrbisID today and start your first automated discovery scan. For more technical details on how we map risks, check out our documentation.
{“@type”:”BlogPosting”,”image”:”https://cdn.marblism.com/crXSciHdEqo.webp”,”author”:{“name”:”OrbisID”,”@type”:”Organization”},”@context”:”https://schema.org”,”headline”:”10 Reasons Your High-Privilege AD Cleanup Isn’t Working (And How to Fix It)”,”publisher”:{“logo”:{“url”:”https://orbisid.com”,”@type”:”ImageObject”},”name”:”OrbisID”,”@type”:”Organization”},”articleBody”:”We have all been there. You kick off an Active Directory (AD) cleanup project with the best of intentions… (rest of article content)…”,”description”:”Discover why manual Active Directory cleanups fail and how to use automated privileged access discovery to eliminate shadow privilege and nested group risks.”,”datePublished”:”2026-05-20″}