Why AD Hygiene Matters
Active Directory is the authentication and authorization backbone for most Windows environments. Stale accounts, over-privileged users, and replication failures are among the top footholds attackers exploit after initial access. Regular checks cost minutes and prevent breaches.
1. Replication Status
AD replication failures are silent until they aren't. Run this from any domain controller:
repadmin /replsummary
repadmin /showrepl
# Look for any "FAIL" entries or consecutive failures > 02. Stale and Disabled Accounts
Accounts inactive for 90+ days should be disabled. Accounts inactive for 180+ days should be deleted or archived. Use PowerShell to pull the list:
# Users inactive for 90+ days
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} `
-Properties LastLogonDate | Select Name, LastLogonDate | Sort LastLogonDate3. Domain Admin Membership
Domain Admins should have as few members as possible — ideally named individuals, no service accounts, no generic admin accounts. Run this and compare against your known-good baseline:
Get-ADGroupMember -Identity "Domain Admins" -Recursive | Select Name, SamAccountName, ObjectClass4. Password Policy and Expired Accounts
# Accounts with passwords that never expire
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} `
-Properties PasswordNeverExpires | Select Name, SamAccountNameService accounts with non-expiring passwords are acceptable if documented. User accounts with non-expiring passwords are not. Flag and remediate.
5. SYSVOL and NETLOGON Replication
Broken SYSVOL replication means GPOs stop applying across the domain. Check with: dcdiag /test:sysvolcheck /test:frsevent /test:dfsrevent. Any failures here are urgent.