Domain Controllers are the most critical servers in your environment. Compromise a DC and you own the entire domain — every user account, every device, every secret. Yet most organisations still run DCs with the same hardening posture they had in 2010, have never audited which accounts have DCSync rights, and allow domain admins to browse the web on their admin workstations.
This post covers the hardening actions that matter most for Active Directory Domain Controllers in 2026, how to verify them with PowerShell, and how Intune and Entra Connect fit into the hybrid model.
The DC attack surface in a hybrid environment
When you connect Active Directory to Entra ID via Entra Connect, the DC attack surface grows in two directions:
- From on-premises: Pass-the-hash, DCSync, Kerberoasting, Golden Ticket attacks — all require either domain-joined machine access or domain user credentials that are weak or over-privileged.
- From the cloud: If Entra Connect Sync is configured with password hash sync or pass-through authentication, an attacker who compromises the Entra Connect server gains the ability to authenticate as any on-prem user against cloud services.
Get-ADSyncServerConfiguration from the Entra Connect server.Step 1 — Audit who has DCSync rights
DCSync is the attack where a threat actor with replication rights against the domain can pull password hashes for any account — including krbtgt — without touching the DC directly. The rights are controlled by the ACL on the domain root object.
Legitimate accounts with these rights: Domain Controllers, Domain Admins, Enterprise Admins, Administrators. Anyone else is a finding.
# Requires: ActiveDirectory module, domain admin or equivalent Import-Module ActiveDirectory $domainDN = (Get-ADDomain).DistinguishedName $acl = Get-Acl "AD:\$domainDN" # DCSync uses DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights $dcSyncRights = $acl.Access | Where-Object { $_.ActiveDirectoryRights -match "ExtendedRight" -and $_.ObjectType -in @( "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", # DS-Replication-Get-Changes "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" # DS-Replication-Get-Changes-All ) } $dcSyncRights | Select-Object IdentityReference, ActiveDirectoryRights, AccessControlType | Format-Table -AutoSize $dcSyncRights | Export-Csv "C:\Logs\Intune\DCSync-Audit-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
IdentityReference ActiveDirectoryRights AccessControlType
----------------- --------------------- -----------------
CONTOSO\Domain Controllers ExtendedRight Allow
CONTOSO\Domain Admins ExtendedRight Allow
CONTOSO\Enterprise Admins ExtendedRight Allow
NT AUTHORITY\ENTERPRISE DOMAIN C... ExtendedRight AllowStep 2 — Protect privileged accounts with Protected Users
The Protected Users security group, introduced in Windows Server 2012 R2, forces a set of hardening controls onto any account added to it. These controls cannot be overridden by individual account settings or local policy — they are enforced by the DC at authentication time.
What Protected Users enforces:
- No NTLM authentication — only Kerberos
- No Kerberos delegation (constrained or unconstrained)
- No DES or RC4 Kerberos encryption — only AES128 or AES256
- Kerberos TGT lifetime capped at 4 hours (regardless of account policy)
- Credentials are never cached in LSA memory on workstations or member servers
# Add your Domain Admins and Enterprise Admins to the Protected Users group # Replace the samAccountNames with your actual admin accounts $adminAccounts = @("da-awan", "da-smith", "krbtgt") foreach ($acct in $adminAccounts) { Add-ADGroupMember -Identity "Protected Users" -Members $acct Write-Host "Added $acct to Protected Users" -ForegroundColor Green } # Verify membership Get-ADGroupMember -Identity "Protected Users" | Select-Object Name, SamAccountName, ObjectClass
Step 3 — Enable Credential Guard via Intune
Credential Guard moves the LSASS process into a VBS (Virtualization Based Security) isolated container. Even if a threat actor gains SYSTEM on a workstation or member server, they cannot dump Kerberos tickets or NTLM hashes from memory because LSASS runs in a protected environment they cannot reach.
Intune OMA-URI (CSP)
| OMA-URI | Type | Value | Effect |
|---|---|---|---|
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity | Integer | 1 | Enable VBS |
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures | Integer | 3 | Require Secure Boot + DMA Protection |
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags | Integer | 1 | Enable Credential Guard with UEFI lock |
Group Policy equivalent
| Setting | Path |
|---|---|
| Turn on Virtualization Based Security | Computer Configuration › Administrative Templates › System › Device Guard › Turn On Virtualization Based Security |
| Credential Guard configuration: Enabled with UEFI lock | Same policy › Credential Guard Configuration dropdown |
msinfo32.exe) and look for "Virtualization-based security" = Running to confirm it is active after policy applies.Step 4 — Verify DC security with a health check script
# Run on each Domain Controller — requires RSAT AD tools $dc = $env:COMPUTERNAME $results = @() # Check 1: SMBv1 disabled $smb1 = (Get-SmbServerConfiguration).EnableSMB1Protocol $results += [PSCustomObject]@{ Check = "SMBv1 disabled"; Pass = -not $smb1; Detail = if($smb1){"ENABLED — disable immediately"}else{"OK"} } # Check 2: NTLMv1 disabled $ntlmv1 = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa").LmCompatibilityLevel $results += [PSCustomObject]@{ Check = "NTLMv1 disabled (LmCompatLevel=5)"; Pass = $ntlmv1 -ge 5; Detail = "Level: $ntlmv1" } # Check 3: Protected Users group has members $pu = (Get-ADGroupMember "Protected Users" -ErrorAction SilentlyContinue).Count $results += [PSCustomObject]@{ Check = "Protected Users populated"; Pass = $pu -gt 0; Detail = "$pu members" } # Check 4: SYSVOL/NETLOGON using DFS-R (not FRS) $dfsr = Get-WmiObject -Namespace "root\microsoftdfs" -Class DfsrReplicatedFolderInfo -ErrorAction SilentlyContinue $results += [PSCustomObject]@{ Check = "SYSVOL using DFS-R"; Pass = $null -ne $dfsr; Detail = if($dfsr){"DFS-R OK"}else{"May still be on FRS"} } $results | Format-Table -AutoSize $results | Export-Csv "C:\Logs\Intune\DC-HealthCheck-$dc-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Check Pass Detail
----- ---- ------
SMBv1 disabled True OK
NTLMv1 disabled (LmCompatLevel=5) True Level: 5
Protected Users populated True 8 members
SYSVOL using DFS-R True DFS-R OKStep 5 — Check for Event ID 4769 Kerberoasting attempts
Kerberoasting is the attack where a domain user requests a Kerberos service ticket for a service principal name (SPN) and then cracks the RC4-encrypted ticket offline. The tell is Event ID 4769 with ticket encryption type 0x17 (RC4-HMAC) — a strong indicator that an attacker is requesting tickets to crack.
# Run on the PDC Emulator DC — searches last 24 hours of Security log $since = (Get-Date).AddHours(-24) Get-WinEvent -FilterHashtable @{ LogName = 'Security' Id = 4769 StartTime = $since } -ErrorAction SilentlyContinue | Where-Object { $_.Properties[6].Value -eq "0x17" # 0x17 = RC4-HMAC encryption type } | Select-Object TimeCreated, @{N='Account';E={$_.Properties[0].Value}}, @{N='ServiceName';E={$_.Properties[2].Value}}, @{N='ClientIP';E={$_.Properties[9].Value}} | Format-Table -AutoSize
msDS-SupportedEncryptionTypes = 24 (0x18 = AES128 + AES256) on all service accounts that have SPNs. After setting this, force a password reset on the service account so the new encryption types take effect. Test the service thoroughly before doing this in production.Entra Connect hardening in hybrid environments
The Entra Connect server is a tier-0 asset — treat it exactly like a Domain Controller. An attacker with local admin on the Entra Connect server can extract the AAD Connector account credentials and use them to synchronise malicious accounts or read password hashes.
- Do not domain-join the Entra Connect server to the same domain it is syncing — use a separate management forest or a stand-alone server where possible
- Enable Seamless SSO only if required — it creates the AZUREADSSOACC computer account in AD which is a high-value target
- Upgrade to Entra Connect 2.6.84.0 immediately (July 2026 security release)
- Enable the Entra Connect Health agent for monitoring