Last updated: April 29, 2026
Every object in Active Directory has an Access Control List. Over twenty years, those ACLs accumulate: helpdesk delegations, application installers’ rights, service account permissions, legacy admin groups. Most organizations have never audited their AD ACLs comprehensively. Attackers use BloodHound to find the exceptions, and those exceptions are usually the fastest path to Domain Admin.
Why ACL abuse is ubiquitous
AD’s ACL model is powerful. You can delegate “password reset on this OU” to the helpdesk, “join this computer to domain” to a specific service, “modify group membership” to a manager. Each delegation is justified, individually. Over time, the set becomes an attack surface.
Unlike misconfigurations that can be “fixed by policy,” ACL sprawl is operationally entangled. You can’t just remove helpdesk’s password-reset right without breaking helpdesk. You have to audit + justify + sometimes refactor.
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.