What Are Shadow Admins
Everyone monitors Domain Admins.
Shadow Admins are accounts with indirect privilege paths — not members of admin groups, but fully capable of compromising the domain.
A Shadow Admin is a user or computer account with effective control over privileged assets, without being in any obvious privileged group.
Example:
A user with GenericWrite on a Domain Admin object can reset its password = full control.
Common Shadow Escalation Paths
1. ACL on AD Objects
2. GPO Modification
If a user can edit a GPO linked to a privileged OU (with startup scripts or scheduled tasks), they can execute code as SYSTEM.
3. SIDHistory Abuse
Legacy Svalues referencing admin groups can grant privileges silently.
4. Write Access to Critical OUs
Can create or move users into an OU with elevated GPOs = privilege injection.
How to Detect Them using powershell
PowerShell – Manual ACL Review
Import-Module ActiveDirectory Get-ADObject -Filter * -Properties nTSecurityDescriptor | ForEach-Object { $acl = Get-Acl “AD:\$($_.DistinguishedName)” $acl.Access | Where-Object { $_.ActiveDirectoryRights -match “GenericAll|GenericWrite” } | Select-Object IdentityReference, ActiveDirectoryRights, IsInherited, ObjectType }
How to Mitigate
- Tiering: isolate Tier 0 assets (DCs, admin accounts)
- Audit AD ACLs regularly
- Eliminate unnecessary delegations
- Enforce least privilege
- Use an ESAE model or an Admin Forest
Final Notes
Shadow Admins don’t show up in net group “Domain Admins” /domain, but they can become Domain Admins if you don’t check who controls what.
Audit now. Every GenericWrite on a privileged object is an attacker’s entry point.
Marco Nasta' Blog 