Skip to content
  • There are no suggestions because the search field is empty.

How do I read my Active Directory scan results?

This article explains how to read the Result information field in Active Directory (AD) findings. The field format varies depending on the type of finding, and this article walks through each format with examples.

What is the result information field?

Each AD finding contains several fields - severity, CVSS score, impact, and solution. These fields are consistent across all customers. The Result Information field is different: it identifies the specific objects in your environment that triggered the rule, such as accounts, Domain Controllers, Group Policy Objects (GPOs), certificate templates, and DNS zones.

The format follows a consistent pattern:

  • A one-line description of what was found
  • A column header in parentheses indicating what data is shown
  • One row per affected object

The columns differ depending on the finding type. The sections below explain how to read each format.

Findings are baselines - not CVEs
AD assessments evaluate your Active Directory configuration against hardening baselines published by Microsoft, CIS, and the security research community. A finding indicates a deviation from that baseline. For this reason, AD findings rarely carry a CVE - the underlying issue is a configuration state, not a versioned software vulnerability.

Result formats

Host list

Example finding: AD - Domain-Joined Computers Running Windows Server 2012/R2 (End-of-Life)

Domain-joined hosts running Windows Server 2012/R2 (Host):

  • WIN-LEGACY-01$

One entry per affected host. Each row identifies a machine that must be migrated, retired, or enrolled in Microsoft Extended Security Updates. The trailing $ confirms the entry is a computer account rather than a user account.

GPO content

Example finding: AD - Plaintext Passwords in Group Policy Preferences

GPO Preferences contain plaintext passwords (GPO | User | Encrypted):

  • Legacy-Service-Policy | svc-deploy | cpassword present (decryptable)

The GPO column identifies the policy object that must be edited. The User column identifies the account whose credentials are exposed and must be rotated. Each row represents one credential that must be removed from SYSVOL and reset.

Account list with attributes

Example finding: AD - Privileged Service Accounts with Old Passwords Are Kerberoastable

Kerberoastable privileged service accounts (User | Groups | SPNs):

  • svc-app01 | Domain Administrators, Administrators | http/app01.corp.example.com
  • svc-sql01 | Domain Administrators, Administrators | MSSQLSvc/sql01.corp.example.com:1433

Each row links the account to the group membership that makes it privileged and the Service Principal Name (SPN) that makes it Kerberoastable. The recommended remediation is conversion to a Group Managed Service Account (gMSA) so that the password is rotated automatically.

Account DN list

Example finding: AD - User Accounts with Password Set to Never Expire

User accounts with PASSWORD_NEVER_EXPIRES set (DN):

  • CN=svc-legacy,CN=Users,DC=corp,DC=example,DC=com
  • CN=Administrator,CN=Users,DC=corp,DC=example,DC=com
  • CN=Guest,CN=Users,DC=corp,DC=example,DC=com

The full distinguished name (DN) is provided so entries can be used directly in PowerShell or Active Directory Users and Computers (ADUC). The presence of the built-in Administrator and Guest accounts is common but should be reviewed. Built-in accounts should either be disabled or maintained with a rotated, monitored password.

Certificate template

Example finding: AD - Auth Template Allows Enrollee-Supplied Subject (ESC1)

Certificate templates allowing user-supplied subject/SAN with low-privilege enroll (ESC1):

  • WebServerEnrollment

One entry per misconfigured template. Active Directory Certificate Services (ADCS) findings typically return short lists with significant impact. A single ESC1-vulnerable template enables Domain Admin impersonation by any principal permitted to enroll.

DNS zone

Example finding: AD - Authenticated Users Can Create DNS Records in AD-Integrated Zones

DNS zones where Authenticated Users can create child records (Zone):

  • corp.example.com
  • internal.example.com
  • _msdcs.corp.example.com

Each row identifies a zone access control list (ACL) that must be corrected.

Msdcs zones require immediate attention!
Write access to an _msdcs zone enables hijacking of Domain Controller records, not only generic name resolution. Prioritize any finding that includes _msdcs entries.

Long account lists

Example finding: AD - High Percentage of Enabled Privileged Accounts Are Inactive

Inactive privileged accounts (User | SID):

  • svc-legacy-da | S-1-5-21-1111111111-2222222222-3333333333-1156
  • admin-archive-25 | S-1-5-21-1111111111-2222222222-3333333333-4448
  • ... [approximately 100 rows]

When a list contains a large number of rows, prioritize by group membership and well-known Relative Identifier (RID). The following should be addressed first:

  • RID 500 - Administrator
  • RID 502 - krbtgt
  • RID 512 - Domain Admins
  • Named administrative accounts

Bulk archival entries 
Bulk archival entries are typically a cleanup activity rather than incident response.