Active Directory reviews should start with evidence, not assumptions.
For MSPs and small IT teams, the goal is not to rebuild the whole domain in one pass. The goal is to identify the highest-risk areas, collect clean evidence, and create a remediation plan that another engineer can understand.
Why Active Directory Audits Go Wrong
Most weak AD reviews fail for simple reasons:
- the scope is not defined
- privileged access is not reviewed first
- stale users and computers are ignored
- service accounts are mixed with human accounts
- GPOs are documented poorly
- DNS and replication checks are skipped
- the final report has findings but no evidence
A good audit separates observation, risk, and recommended action.
Core Areas To Check
- privileged users and nested admin groups
- stale users and disabled accounts
- stale computers
- password policy and lockout policy
- service accounts
- DNS health indicators
- GPO inventory
- replication status
- domain controller roles
- audit policy and logging posture
The key is to keep the review read-only first. Collect evidence, summarize risk, and only then decide what should change.
Privileged Access Review
Start with administrative groups:
- Domain Admins
- Enterprise Admins
- Schema Admins
- Account Operators
- Server Operators
- Backup Operators
- local administrators on critical servers
For each group, capture membership, business owner, last logon evidence where available, and whether the account is human, service, break-glass, or unknown.
Do not only check direct membership. Nested groups are where many surprises live.
Stale Accounts And Computers
Stale objects create unnecessary attack surface and operational confusion.
Review:
- users with no recent logon
- disabled users that still exist without a cleanup reason
- computers that have not authenticated recently
- accounts with passwords that never expire
- accounts with unclear ownership
- old admin accounts left from previous engineers or vendors
The output should not be a blind delete list. It should be a controlled review list with owner, evidence, and recommended action.
GPO And DNS Checks
GPO and DNS issues can create hidden operational risk.
For GPOs, capture:
- linked and unlinked policies
- disabled policies
- policies with unclear names
- security filtering
- WMI filters
- password, lockout, audit, firewall, and script settings
For DNS, capture:
- domain controller DNS configuration
- stale zones or records
- forwarders
- replication-related symptoms
- name resolution issues reported by users or apps
Evidence Package
Every AD audit should produce an evidence package that includes:
- export files
- screenshots where useful
- command output
- risk notes
- remediation priority
- owner or responsible team
- date of collection
This is what turns a technical check into a client-ready deliverable.
Product Fit
If you want a ready-to-use checklist, evidence structure, and client-facing workflow, use the Active Directory Audit Toolkit:
Active Directory Audit Toolkit:
https://store.cloudpeakify.com/products/active-directory-audit-toolkit
For identity governance beyond on-prem AD, pair it with the Entra ID Governance Review Kit:
https://store.cloudpeakify.com/products/entra-id-governance-review-kit
Final Checklist
Before closing the audit, confirm:
- privileged groups are reviewed
- stale users and computers are documented
- service accounts have owners
- GPOs are inventoried
- DNS and replication checks are included
- findings are separated from assumptions
- every recommendation has evidence
- the client can understand the risk without reading raw command output