Recurring AD audit workflow should mean more than rerunning the same checklist once a year. Active Directory is a living control plane: privileged group membership changes, ACLs drift, GPOs are edited, certificate templates evolve, and logging coverage degrades over time. A yearly point-in-time review can still be useful, but it doesn't tell you whether your directory remained safe after the week that followed. A better model is a recurring AD audit workflow: remeasure the same high-value controls on a fixed cadence, investigate new drift quickly, and use every rerun to verify remediation instead of waiting for the next consultancy cycle.
This matters because the directory is designed to change. Microsoft documents dedicated events for membership changes to security groups, for directory object modifications, and for domain policy changes. ANSSI's 2023 guidance for environments that rely on Microsoft Active Directory centers secure administration and segmentation, while ANSSI's Active Directory logging guidance covers the collection and monitoring side. Together they support a recurring review model better than a one-off report that sits on a shelf. In practice, the organizations that keep AD healthier are the ones that repeatedly review the same control families and treat posture drift as an operations problem, not an annual procurement event.
What a Recurring AD Audit Workflow Actually Covers
A recurring AD audit workflow is not the same thing as a SIEM, and it is not the same thing as a pentest. It sits between one-time review and full event-driven detection. The goal is to re-evaluate the structural security state of the directory on a schedule that matches how often the environment changes.
In Active Directory, that means re-checking at least four layers:
- privileged identities and group membership;
- delegated rights and dangerous ACL paths;
- domain and domain controller security settings;
- monitoring and recovery controls that determine whether you can detect or survive the next incident.
That scope is broader than a narrow "hardening audit" and narrower than continuous endpoint telemetry. It is about repeated measurement of the attack surface that keeps producing real compromise paths in AD environments: replication rights, Kerberos delegation, weak LDAP posture, local admin password reuse, stale privileged accounts, certificate abuse paths, and blind spots in audit policy.
Why Point-in-Time AD Audits Drift Quickly
This is not marketing language. It is a property of how Windows and AD actually work.
Microsoft documents that security group management produces dedicated audit events when members are added or removed. The same auditing reference documents directory object modification events and domain policy change events. That alone is enough to show why a PDF exported once a year cannot represent the state of the directory for long: the objects that define privilege and exposure are expected to change.
Some of the most important drift points are operational, not theoretical:
- a user gets added to a sensitive group for a project and is never removed;
- a service account receives a new SPN or an over-broad delegation entry;
- a GPO or default policy is edited to solve a short-term problem and never reverted;
- LDAP signing or channel binding enforcement remains weaker than intended because a legacy client blocked the rollout;
- LAPS coverage drops because new servers land outside the managed OU or a new image was deployed without the right policy;
- AD CS templates or PKI ACLs change during certificate rollout work;
- old administrative accounts stay enabled because nobody reran the same privileged-account review after the original audit.
This is why the argument against annual-only reviews is simple: a point-in-time audit captures the directory on the day of collection. It does not tell you whether the same high-value controls still hold after staff changes, projects, migrations, acquisitions, PKI work, GPO edits, or emergency privilege grants.
The Control Families Worth Rechecking Every Cycle
The right recurring workflow does not re-review everything with the same urgency. It rechecks the controls that age badly.
1. Privileged groups and stale admin accounts
If privileged membership is one of the most common ways security posture drifts, it should be one of the first things you remeasure. Microsoft recommends enabling success auditing for security group management specifically to see group creation, changes, deletions, and new group members. That matters because the practical risk is rarely "Domain Admins was always wide open." It is more often "membership changed, nobody noticed, and the exception became normal."
Recurring review here should answer:
- who currently holds direct or indirect privileged membership;
- which privileged accounts are stale or rarely used;
- whether built-in administrative accounts are being used for daily work;
- whether privileged users are outside additional protection controls such as Protected Users or stronger authentication patterns.
This is the sort of review where Stale Privileged Accounts: Hidden Risk in Active Directory becomes operational, not theoretical.
2. Dangerous ACLs, replication rights, and control paths
A directory can look healthy at the group layer while still exposing takeover paths through ACLs. Replication rights, WriteDACL, WriteOwner, GenericAll, self-membership rights, and AdminSDHolder changes are the kinds of issues that should not wait for next year's review.
Microsoft documents the AdminSDHolder mechanism because protected objects inherit that security descriptor model. That makes it exactly the kind of control plane object that deserves repeated scrutiny. If a dangerous right lands on a sensitive object and persists there for months, the fact that you once had a clean audit becomes irrelevant.
Recurring review here should focus on:
- DCSync-capable principals and replication rights outside expected DC scope;
- dangerous write rights on privileged users, groups, OUs, GPOs, and computers;
- AdminSDHolder deviations and other persistence-friendly ACL changes;
- certificate-related escalation paths where AD CS is present.
That is also why ACL Abuse and DCSync: The Silent Paths to Domain Admin should not be treated as a one-time readout item.
3. Kerberos delegation, shadow credentials, and certificate abuse
Some AD exposures are not noisy until they are exploited. Kerberos delegation settings, msDS-KeyCredentialLink, certificate mappings, and certificate template rights are classic examples. If you only review them during a yearly assessment, you are accepting long dwell time for the next misconfiguration.
These controls deserve recurring validation because they are sensitive to change:
- unconstrained, constrained, and resource-based constrained delegation;
- shadow credential exposure through
msDS-KeyCredentialLink; - weak certificate mapping or risky AD CS templates;
- new certificate abuse chains introduced by template or CA configuration drift.
Relevant deep dives already exist in Kerberos Delegation Attacks: From Unconstrained to RBCD Abuse, Shadow Credentials: Abusing msDS-KeyCredentialLink in Active Directory, Weak Certificate Mapping in AD CS: Why Strong Binding Matters, and ADCS Certificate Attacks: How ESC1 to ESC8 Lead to Domain Admin.
4. Domain controller security posture and logging coverage
A recurring workflow also has to re-check whether the environment is still able to observe the next incident. Microsoft documents WEF as a way to forward selected events to a collector and explicitly notes that WEF is passive: it cannot create the events for you. If event generation, audit categories, log sizes, or PowerShell logging drift out of policy, your visibility degrades even if your previous audit was correct when it was run.
That means recurring review should include:
- audit policy coverage on domain controllers;
- security log sizing and retention choices;
- PowerShell logging coverage;
- LDAP signing and channel binding enforcement;
- SMB signing requirements on DCs;
- WEF or other central collection coverage for the events you actually depend on.
This is the practical bridge between Active Directory Monitoring: Security Event IDs That Matter and an audit workflow that remains useful after the first report.
5. Local admin password hygiene and workstation/server rollout drift
Some findings are not "broken forever" findings. They reappear because infrastructure changes faster than standards rollout. Windows LAPS is a good example. Microsoft documents Windows LAPS as a Windows feature that automatically manages and backs up the password of a local administrator account. But the existence of the feature does not mean your whole estate is covered today.
Recurring review should therefore verify:
- whether LAPS is actually deployed broadly enough;
- whether new systems land inside the managed scope;
- whether privileged local password exposure is still readable too broadly;
- whether unmanaged systems are reintroducing pass-the-hash style lateral movement risk.
That is the operating model behind Windows LAPS Not Deployed: Why Shared Local Admin Passwords Still Matter.
A Practical Recurring Cadence That Works Better Than an Annual Snapshot
There is no universal number that fits every organization. The right cadence depends on change rate, admin model, and whether AD CS, multiple forests, or hybrid identity add extra complexity. But in practice, a tiered rhythm works better than a single annual review.
| Cadence | Objective | What to remeasure |
|---|---|---|
| Weekly | Catch privilege drift and policy changes early | privileged memberships, newly created privileged accounts, recent object creation, recent SIDHistory changes, default policy changes, high-risk ACL changes |
| Monthly | Revalidate structural exposure | DCSync-capable principals, delegation, LDAP/SMB signing, LAPS coverage, stale accounts, service account hygiene, logging configuration |
| Quarterly | Review architecture-level attack paths | AD CS exposure, trust relationships, AdminSDHolder, machine account quota, OU and GPO structure, tiering and admin path assumptions |
| After every major change | Verify remediation and rollout quality | mergers, PKI work, GPO redesign, new admin tooling, new server baseline, tiering changes, privileged role cleanups |
The point is not to create more meetings. The point is to shorten the time between change, measurement, and verification.
How to Turn This into Continuous Posture Monitoring with EtcSec
This is where the model becomes more useful than an annual consulting deliverable.
ETC Collector's current published AD catalog lists 340 detections across 14 categories, with coverage that includes privileged accounts, Kerberos, permissions, GPO, trusts, monitoring, and compliance, plus ADCS and attack-path checks in Pro. That matters because a recurring workflow only works if the same detector set can be rerun consistently and without turning every review into a consulting project again.
More importantly, the deployment model matches the workflow:
- the collector audits AD in read-only mode over LDAP/LDAPS and SMB for SYSVOL;
- no changes are made to the directory;
- no agent needs to be deployed on domain controllers;
- in daemon mode, the collector runs as a persistent background service, polls the SaaS platform every 30 seconds for commands, executes audits locally, and reports results remotely;
- the API exposes the last audit status and supports synchronous or asynchronous reruns, which is exactly what a recurring workflow needs.
That makes the product fit a continuous-posture model better than a once-a-year PDF. The point is not "real-time detection" in the SIEM sense. The point is that the same control families can be re-measured again and again with low friction, and that remediation can be verified by rerunning the audit instead of waiting for next year's budget cycle.
The EtcSec Checks That Matter Most in a Recurring Workflow
A recurring workflow is only credible if it maps to concrete checks. Based on the current ETC vulnerability catalog, the following findings are especially well suited to repeated posture review:
| Review area | ETC findings to recheck regularly | Why they age badly |
|---|---|---|
| Privilege drift | PRIVILEGED_ACCOUNT_STALE, PRIVILEGED_GROUP_MEMBER_CHANGES, RECENT_PRIVILEGED_CREATION, ADMIN_NATIVE_RECENT_LOGON, GROUP_EVERYONE_IN_PRIVILEGED, GROUP_AUTHENTICATED_USERS_PRIVILEGED | memberships and exceptions accumulate silently |
| ACL and replication paths | DCSYNC_CAPABLE, ACL_GENERICALL, ACL_WRITEDACL, ACL_WRITEOWNER, ADMIN_SD_HOLDER_MODIFIED, ADMINSDHOLDER_BACKDOOR | a single delegated right can outlive the change that created it |
| Kerberos and credential abuse | UNCONSTRAINED_DELEGATION, CONSTRAINED_DELEGATION, RBCD_ABUSE, SHADOW_CREDENTIALS, KERBEROASTING_RISK, ASREP_ROASTING_RISK | these settings change during service rollout, migrations, and admin exceptions |
| LDAP and relay posture | LDAP_SIGNING_DISABLED, LDAP_CHANNEL_BINDING_DISABLED, SMB_SIGNING_DISABLED, NTLM_RELAY_OPPORTUNITY | compatibility work often weakens these controls over time |
| LAPS and endpoint hygiene | LAPS_NOT_DEPLOYED, LAPS_DOMAIN_COVERAGE_LOW, LAPS_PASSWORD_READABLE, COMPUTER_NO_LAPS | new systems and OUs often miss the intended baseline |
| Monitoring readiness | AUDIT_POLICY_WEAK, POWERSHELL_LOGGING_DISABLED, AUDIT_LOGON_EVENTS_DISABLED, AUDIT_ACCOUNT_MGMT_DISABLED, AUDIT_POLICY_CHANGE_DISABLED, SECURITY_LOG_SIZE_SMALL, DC_AUDIT_POLICY_INCOMPLETE | logging quality drifts as GPOs evolve and server teams make exceptions |
| AD CS and certificate paths (Pro) | ESC1-ESC11, ADCS_WEAK_PERMISSIONS, ESC6_EDITF_ATTRIBUTESUBJECTALTNAME2, PATH_CERTIFICATE_ESC | certificate services change during template, PKI, and issuance work |
That list is what turns an audit into a workflow. Instead of paying to rediscover the same control families each year, the team can keep re-checking the ones that are most likely to drift first.
Validation After Each Remediation Cycle
Recurring review only works if every remediation ends with verification. Otherwise, the workflow collapses back into ticket tracking with no remeasurement.
After each change window, you should be able to answer:
- did the targeted finding disappear from the next audit;
- did the risk simply move somewhere else, such as from a group membership issue to an ACL issue;
- did the remediation weaken monitoring, for example by changing GPOs that affect logging or policy enforcement;
- did a supposedly isolated exception create a new path through delegation, replication rights, or certificate configuration;
- did the security score improve for the right reason, meaning fewer meaningful findings rather than just fewer scanned objects.
This is where a recurring workflow outperforms an annual assessment. You do not have to wait months to validate whether a privileged cleanup, a LAPS rollout, an LDAP signing project, or an AD CS hardening effort actually held.
Where the Annual Consulting Model Still Fits
This does not mean one-time external reviews have no value. They still matter for deep architecture review, incident response, red-team validation, and governance checkpoints. But they are not a substitute for recurring measurement of the directory itself.
A mature model is usually:
- deep external review when architecture, trust boundaries, or incident context justify it;
- recurring collector-driven posture measurement for the high-drift controls in between;
- targeted follow-up when new findings appear or remediation stalls.
That is a better story than buying one expensive audit, filing the report, and hoping the directory stays in the same state while admins, projects, and emergency fixes continue to reshape it.
How EtcSec Detects the Difference Between a Report and a Workflow
EtcSec is strongest when it is used to turn AD security review into an operating rhythm:
- run the same detector set repeatedly;
- surface new privileged drift quickly;
- verify hardening changes after every rollout;
- keep ADCS, Kerberos, ACL, and monitoring posture in the same review loop;
- manage the process from SaaS while leaving collection inside the customer network.
That is the important distinction. A recurring AD audit workflow is not just "audit more often." It is a shift from occasional assurance to continuous posture monitoring through repeated, low-friction remeasurement.
Primary References
- Microsoft Learn - Audit Security Group Management
- Microsoft Learn - Event 5136: A directory service object was modified
- Microsoft Learn - Event 4739: Domain Policy was changed
- Microsoft Learn - LDAP signing for Active Directory Domain Services on Windows Server
- Microsoft Learn - Windows LAPS overview
- Microsoft Learn - AdminSDHolder (MS-ADTS)
- Microsoft Learn - Use Windows Event Forwarding to help with intrusion detection
- ANSSI - Recommandations pour l'administration sécurisée des SI reposant sur AD
- ANSSI - Sécuriser la journalisation dans un environnement Microsoft Active Directory
