Directory Insights in 10 Minutes – Episode 1

Welcome to the very first episode of Directory Insights in 10 Minutes, brought to you by Guardians of the Directory.
This series cuts through the noise — no fluff, no filler — just real-world, actionable insights for securing Active Directory and Entra ID.

In this kickoff episode, Craig Birch reveals the #1 most overlooked AD misconfiguration — one that ships insecure by default, is present in nearly every environment, and continues to provide attackers with a clear path to domain dominance.

🔍 What You’ll Learn:

• Why the built-in Administrator account (RID 500) is vulnerable out of the box
• How attackers abuse Kerberos delegation to impersonate high-privilege accounts
• Why Microsoft’s guidance is buried in 2,000+ pages of documentation
• The one checkbox that shuts down this attack path instantly
• Why putting accounts in the Protected Users group isn’t enough

🛠️ Quick Fix:1️⃣ Open the RID 500 account properties
2️⃣ Under the Account tab, check:
    ✅ “Account is sensitive and cannot be delegated”
3️⃣ Apply this setting to all privileged accounts
4️⃣ Include this check in your AD hardening baseline✅ Quick Takeaways:

• The built-in Administrator account is a default privilege escalation path

• Kerberos delegation + RID 500 = full impersonation

• A single setting can eliminate this risk — but most admins miss it

• Make this part of your secure provisioning process for every admin account

💬 Join the Conversation:
Have you seen this in your AD environment? Drop us a comment. Let’s talk about closing one of the oldest open doors in AD.

📌 Powered by Guardians of the Directory