An Active Directory audit is a systematic review of your AD environment: user accounts, group memberships, Group Policy Objects, and access controls. For defense contractors handling CUI, this is one of the first things your C3PAO assessor will examine.
Why Active Directory matters for CMMC
Your AD governs every user, computer, and data share in your organization. Attackers rarely need to brute-force their way in. They look for misconfigurations that let them escalate privileges and move laterally across the network.
Common vulnerabilities found in AD audits:
- Stale accounts. Inactive user or computer accounts left enabled, waiting to be compromised.
- Overly permissive access. Users and service accounts with more permissions than they need, violating the principle of least privilege.
- Weak password policies. GPOs configured to allow short, simple, or easily guessable passwords.
- Unmonitored privileged groups. Accounts added to Domain Admins or Enterprise Admins without detection.
A single compromised service account with excessive permissions can be enough to access CUI repositories, leading to a data breach and a mandatory DFARS reporting incident.
An audit without action is just a to-do list for an attacker. The real work comes from turning findings into a systematic plan to harden your environment.
Defining your audit scope
Trying to audit everything at once is a recipe for getting nowhere. Narrow your focus to high-risk, high-value targets, especially assets that protect CUI.
Privileged accounts. Every member of Domain Admins, Enterprise Admins, and Schema Admins. Also check accounts with delegated admin rights over OUs that house CUI-related systems or users.
High-impact GPOs. GPOs that control password policies, assign user rights, and configure audit settings. A weak password policy linked to an OU touching CUI is a critical finding.
ACLs on CUI file shares. Permissions on file servers and SharePoint sites are the last line of defense for your data. Every ACL must enforce the principle of least privilege. Remember, encrypted CUI is still CUI and requires the same level of safeguarding.
Data sources for your audit
You need evidence from three primary sources:
| Data Source | What it contains | Why it matters |
|---|---|---|
| Windows Security Event Logs | Logon records (success/failure), account changes, GPO modifications, privilege use. Key Event IDs: 4624 (logon), 4720 (user creation), 4732 (member added to security group). | Your activity log. The who, what, when, and where of everything happening in AD. |
| AD Database (ntds.dit) | All AD objects: users, groups, computers, GPOs. Attributes like password last set, group memberships, and SPNs. | Point-in-time snapshot of your AD configuration. Finds stale accounts, risky nested groups, and misconfigured settings. |
| Group Policy Objects | GPO files in the SYSVOL share. Password policies, user rights assignments, audit settings. | Lets you audit security policies directly from the source. |
Data collection with PowerShell
PowerShell is the primary tool for AD auditing. You can uncover the most common and dangerous risks without third-party software.
Finding stale accounts
User accounts inactive for 90+ days are prime targets. This script finds enabled accounts that have not logged in within the threshold:
Import-Module ActiveDirectory
$inactiveDays = 90
$cutoffDate = (Get-Date).AddDays(-$inactiveDays)
Get-ADUser -Filter {
(LastLogonTimeStamp -le $cutoffDate) -and (Enabled -eq $true)
} -Properties LastLogonTimeStamp, Enabled |
Select-Object Name, DistinguishedName,
@{Name="LastLogon"; Expression={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}}Auditing privileged group membership
Direct membership in Domain Admins is easy to check. The real audit value is in recursively checking nested memberships:
Import-Module ActiveDirectory
Get-ADGroupMember -Identity "Domain Admins" -Recursive |
Select-Object Name, objectClass, DistinguishedNameYou will often find service accounts or entire user groups that have no business holding Domain Admin authority.
Finding accounts with passwords that never expire
A compromised credential with this setting is a permanent backdoor:
Import-Module ActiveDirectory
Search-ADAccount -PasswordNeverExpires -UsersOnly |
Select-Object Name, DistinguishedNameCentralizing logs with Windows Event Forwarding
PowerShell scripts give you snapshots. For ongoing visibility, you need centralized logging. Windows Event Forwarding (WEF) is a native Windows feature that pushes event logs from source computers to a single collector server.
Setup:
- Designate a Windows Server as the central log collector.
- Create a subscription on the collector specifying which events to pull.
- Use a GPO to point source machines (Domain Controllers) to the collector.
Focus on these high-value event IDs:
- 4624: Successful account logon
- 4625: Failed account logon
- 4728: Member added to a security-enabled global group
- 4732: Member added to a security-enabled local group
- 4740: User account locked out
Mapping findings to NIST 800-171 and CMMC
Finding a vulnerability is one thing. Connecting it to the specific language of NIST 800-171 and CMMC is what transforms a technical finding into audit-ready evidence.
Example: your script flags a service account svc_legacyapp that has interactive logon rights. Map it:
- Finding: svc_legacyapp can be used for interactive logon.
- Risk: If compromised, the account enables lateral movement across systems.
- Control: AC.L2-3.1.7 (Prevent Non-Privileged Users From Executing Privileged Functions).
- Evidence: Raw output from the script showing the account’s permissions.
This turns a data point into a formal entry for your System Security Plan (SSP) and a clear item for your Plan of Action and Milestones (POA&M).
Common AD findings mapped to NIST controls
| Finding | Risk | NIST 800-171 Control |
|---|---|---|
| Stale accounts (inactive 90+ days) | Unmonitored entry points for attackers. | AC.L2-3.1.6: Disable accounts after a defined period of inactivity. |
| Weak password policies | Increased risk of brute-force attacks. | IA.L2-3.5.7: Enforce minimum password complexity. |
| No logging for privileged group changes | Cannot detect unauthorized privilege escalation. | AU.L2-3.3.1: Create and retain audit records. |
| Service accounts with Password Never Expires | Static credential provides indefinite access if compromised. | IA.L2-3.5.8: Prohibit password reuse. |
Prioritizing remediation
Not all findings are equal. Use a tiered approach based on real-world risk:
Tier 1: Critical (fix within 24 hours). Exposed privileged account credentials, active Kerberoasting vulnerabilities, any account in a high-level group with Password Never Expires enabled.
Tier 2: Serious (fix within 7-14 days). Missing audit logs for critical events, service accounts with interactive logon rights, overly permissive ACLs on CUI shares.
Tier 3: Medium (schedule within 30-60 days). Inactive accounts older than 90 days, weak legacy password policies, messy nested group memberships.
Structuring your audit report
Your report needs to work for both technical staff and leadership. Structure it as:
Executive summary. One page. Audit scope, overall risk level, top 3-5 critical findings and their business impact.
Detailed findings. For each finding: clear title, risk rating, description, evidence (script output or screenshots), and affected CMMC/NIST controls.
Recommended remediation. Step-by-step instructions. Not “fix permissions” but “Remove the Allow log on locally right from the svc-backup account via the Default Domain Controllers Policy GPO.”
Prioritized action plan (POA&M). Every finding assigned to an owner with a deadline. This becomes your working document for tracking progress and demonstrating to assessors that you are actively closing gaps. Sign up for early access to get a free CMMC Level 2 readiness checklist that can help you build out this action plan.
Audit frequency
The annual audit is not enough for CMMC. Plan for a comprehensive AD audit at least quarterly. Between quarterly reviews, set up automated alerting for high-risk activity: additions to Domain Admins, account lockouts, GPO modifications.
This combination of regular deep dives and continuous automated monitoring is what CMMC assessors expect to see.
Hybrid environments
If you run on-prem AD syncing to Azure AD (Microsoft Entra ID), your audit scope covers both. You need to audit:
- Azure AD Connect configuration. What are you syncing? Is Password Hash Sync properly secured?
- Conditional Access Policies. Are they enforcing MFA and blocking insecure authentication protocols?
- Privileged roles in Azure AD. Global Administrator is the new Enterprise Admin. Audit it accordingly.
- Guest (B2B) accounts. Review every guest account for necessity and minimum access.
A weak link in one environment is a doorway into the other. Treat on-prem AD and Azure AD as one extended security boundary.
Your AD is only half the compliance picture
Hardening Active Directory covers identity and access management. But your C3PAO will also assess the systems where CUI actually lives: email, file storage, and collaboration tools.
IRONKEEP bundles encrypted email, file storage, calendar, and contacts under one CMMC-compliant authorization boundary. Three layers of encryption, per-tenant key isolation, US-only data residency. Built by the team behind a CMMC environment at a major cloud provider.
If your AD audit is in good shape but your email is still on commercial Office 365 or Google Workspace, that is the gap your assessor will find next. Learn how IRONKEEP compares to GCC High, Google, and PreVeil.
Get early access
Be first in line when we launch. Founding member pricing and a free CMMC Level 2 readiness checklist included.
Founding member pricing goes away at launch.