HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Guides Active DirectoryDomain ControllerSecurityIntuneEntra IDPowerShell

Active Directory Domain Controller Hardening for Hybrid Environments

IA
Imran Awan
12 July 2026

Domain Controllers are the most critical servers in your environment. Compromise a DC and you own the entire domain — every user account, every device, every secret. Yet most organisations still run DCs with the same hardening posture they had in 2010, have never audited which accounts have DCSync rights, and allow domain admins to browse the web on their admin workstations.

This post covers the hardening actions that matter most for Active Directory Domain Controllers in 2026, how to verify them with PowerShell, and how Intune and Entra Connect fit into the hybrid model.

The DC attack surface in a hybrid environment

When you connect Active Directory to Entra ID via Entra Connect, the DC attack surface grows in two directions:

Note: Microsoft released Entra Connect 2.6.84.0 on 9 July 2026 with critical security fixes. If you are running any earlier version, upgrade as soon as possible. Check your current version with Get-ADSyncServerConfiguration from the Entra Connect server.

Step 1 — Audit who has DCSync rights

DCSync is the attack where a threat actor with replication rights against the domain can pull password hashes for any account — including krbtgt — without touching the DC directly. The rights are controlled by the ACL on the domain root object.

Legitimate accounts with these rights: Domain Controllers, Domain Admins, Enterprise Admins, Administrators. Anyone else is a finding.

PowerShell 7 — Audit DCSync rights on domain root
# Requires: ActiveDirectory module, domain admin or equivalent
Import-Module ActiveDirectory

$domainDN = (Get-ADDomain).DistinguishedName
$acl = Get-Acl "AD:\$domainDN"

# DCSync uses DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights
$dcSyncRights = $acl.Access | Where-Object {
    $_.ActiveDirectoryRights -match "ExtendedRight" -and
    $_.ObjectType -in @(
        "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", # DS-Replication-Get-Changes
        "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"  # DS-Replication-Get-Changes-All
    )
}

$dcSyncRights | Select-Object IdentityReference, ActiveDirectoryRights, AccessControlType |
    Format-Table -AutoSize
$dcSyncRights | Export-Csv "C:\Logs\Intune\DCSync-Audit-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Expected output — clean domain
IdentityReference                   ActiveDirectoryRights    AccessControlType
-----------------                   ---------------------    -----------------
CONTOSO\Domain Controllers          ExtendedRight            Allow
CONTOSO\Domain Admins               ExtendedRight            Allow
CONTOSO\Enterprise Admins           ExtendedRight            Allow
NT AUTHORITY\ENTERPRISE DOMAIN C... ExtendedRight            Allow
Watch out: If you see any service account, user account, or group you do not recognise in this output, treat it as a potential compromise indicator and investigate immediately. DCSync access for any account outside of the four expected principals is a critical finding. Remove the ACE and investigate how it was added — check the Security event log on the PDC Emulator for Event ID 5136 (directory service object modification).

Step 2 — Protect privileged accounts with Protected Users

The Protected Users security group, introduced in Windows Server 2012 R2, forces a set of hardening controls onto any account added to it. These controls cannot be overridden by individual account settings or local policy — they are enforced by the DC at authentication time.

What Protected Users enforces:

PowerShell 7 — Add tier-0 admins to Protected Users
# Add your Domain Admins and Enterprise Admins to the Protected Users group
# Replace the samAccountNames with your actual admin accounts
$adminAccounts = @("da-awan", "da-smith", "krbtgt")

foreach ($acct in $adminAccounts) {
    Add-ADGroupMember -Identity "Protected Users" -Members $acct
    Write-Host "Added $acct to Protected Users" -ForegroundColor Green
}

# Verify membership
Get-ADGroupMember -Identity "Protected Users" | Select-Object Name, SamAccountName, ObjectClass
Gotcha: Do not add service accounts to Protected Users without testing first. NTLM is blocked for Protected Users members — any service that authenticates using NTLM (older IIS apps, SQL Server with NTLM auth, legacy file shares) will break immediately. Test in a non-production environment before applying to production admin accounts.

Step 3 — Enable Credential Guard via Intune

Credential Guard moves the LSASS process into a VBS (Virtualization Based Security) isolated container. Even if a threat actor gains SYSTEM on a workstation or member server, they cannot dump Kerberos tickets or NTLM hashes from memory because LSASS runs in a protected environment they cannot reach.

Intune OMA-URI (CSP)

OMA-URITypeValueEffect
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurityInteger1Enable VBS
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeaturesInteger3Require Secure Boot + DMA Protection
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlagsInteger1Enable Credential Guard with UEFI lock

Group Policy equivalent

SettingPath
Turn on Virtualization Based SecurityComputer Configuration › Administrative Templates › System › Device Guard › Turn On Virtualization Based Security
Credential Guard configuration: Enabled with UEFI lockSame policy › Credential Guard Configuration dropdown
Tip: Credential Guard requires Secure Boot, UEFI firmware, 64-bit processor with virtualisation extensions (Intel VT-x or AMD-V), and TPM 2.0. All Windows 11 certified hardware meets these requirements. Check the System Information tool (msinfo32.exe) and look for "Virtualization-based security" = Running to confirm it is active after policy applies.

Step 4 — Verify DC security with a health check script

PowerShell 7 — DC Security Health Check
# Run on each Domain Controller — requires RSAT AD tools
$dc = $env:COMPUTERNAME
$results = @()

# Check 1: SMBv1 disabled
$smb1 = (Get-SmbServerConfiguration).EnableSMB1Protocol
$results += [PSCustomObject]@{ Check = "SMBv1 disabled"; Pass = -not $smb1; Detail = if($smb1){"ENABLED — disable immediately"}else{"OK"} }

# Check 2: NTLMv1 disabled
$ntlmv1 = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa").LmCompatibilityLevel
$results += [PSCustomObject]@{ Check = "NTLMv1 disabled (LmCompatLevel=5)"; Pass = $ntlmv1 -ge 5; Detail = "Level: $ntlmv1" }

# Check 3: Protected Users group has members
$pu = (Get-ADGroupMember "Protected Users" -ErrorAction SilentlyContinue).Count
$results += [PSCustomObject]@{ Check = "Protected Users populated"; Pass = $pu -gt 0; Detail = "$pu members" }

# Check 4: SYSVOL/NETLOGON using DFS-R (not FRS)
$dfsr = Get-WmiObject -Namespace "root\microsoftdfs" -Class DfsrReplicatedFolderInfo -ErrorAction SilentlyContinue
$results += [PSCustomObject]@{ Check = "SYSVOL using DFS-R"; Pass = $null -ne $dfsr; Detail = if($dfsr){"DFS-R OK"}else{"May still be on FRS"} }

$results | Format-Table -AutoSize
$results | Export-Csv "C:\Logs\Intune\DC-HealthCheck-$dc-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Output — hardened DC
Check                              Pass  Detail
-----                              ----  ------
SMBv1 disabled                     True  OK
NTLMv1 disabled (LmCompatLevel=5)  True  Level: 5
Protected Users populated          True  8 members
SYSVOL using DFS-R                 True  DFS-R OK

Step 5 — Check for Event ID 4769 Kerberoasting attempts

Kerberoasting is the attack where a domain user requests a Kerberos service ticket for a service principal name (SPN) and then cracks the RC4-encrypted ticket offline. The tell is Event ID 4769 with ticket encryption type 0x17 (RC4-HMAC) — a strong indicator that an attacker is requesting tickets to crack.

⚠ Event ID 4769 — Security — Domain Controller
Source: Microsoft-Windows-Security-Auditing
Event ID: 4769 — A Kerberos service ticket was requested
Target Service Name: MSSQLSvc/sqlserver.contoso.local:1433
Account Name: j.smith@CONTOSO.LOCAL
Ticket Encryption Type: 0x17 (RC4-HMAC) ⚠
Client Address: 10.10.5.42
PowerShell 7 — Detect RC4 Kerberos ticket requests (Kerberoasting)
# Run on the PDC Emulator DC — searches last 24 hours of Security log
$since = (Get-Date).AddHours(-24)

Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4769
    StartTime = $since
} -ErrorAction SilentlyContinue | Where-Object {
    $_.Properties[6].Value -eq "0x17"  # 0x17 = RC4-HMAC encryption type
} | Select-Object TimeCreated,
    @{N='Account';E={$_.Properties[0].Value}},
    @{N='ServiceName';E={$_.Properties[2].Value}},
    @{N='ClientIP';E={$_.Properties[9].Value}} |
    Format-Table -AutoSize
Watch out: Mitigation is to configure service accounts to support AES256 Kerberos encryption and remove RC4 support. Set msDS-SupportedEncryptionTypes = 24 (0x18 = AES128 + AES256) on all service accounts that have SPNs. After setting this, force a password reset on the service account so the new encryption types take effect. Test the service thoroughly before doing this in production.

Entra Connect hardening in hybrid environments

The Entra Connect server is a tier-0 asset — treat it exactly like a Domain Controller. An attacker with local admin on the Entra Connect server can extract the AAD Connector account credentials and use them to synchronise malicious accounts or read password hashes.

Tip: Use the Staging Mode feature to run a second passive Entra Connect server. In staging mode the server reads AD and Entra but does not write — it is ready to promote immediately if the active server fails, without the delay of a fresh Entra Connect installation.

References

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Guides
Windows 365 for Agents: A Secured Cloud PC Execution Environment…
AI agents running on user workstations create unacceptable blast radius and auditability…
Guides
Top 20 PowerShell Commands Every Intune & Azure Engineer Needs
PowerShell is not optional for Intune and Azure engineers. Here are the 20 commands you…
Guides
Microsoft Intune Complete Roadmap: Beginner to Advanced (All 12…
A structured 12-chapter roadmap covering everything in Microsoft Intune — from…