Sep 17 2025

Active Directory Security Tip #5: The Default Domain Administrator Account

In every Active Directory domain, there’s the default domain Administrator account.
Here are some key items to check:

  • Do you know when the last time the Administrator account was used (logged into)?
  • The last time its password was changed? Is it current?
  • How the password is managed and stored?
  • Does it have an associated Kerberos Service Principal Name (SPN)? (it shouldn’t)
  • Is it enabled? (it’s probably fine if it is)


PowerShell for current domain using the AD PowerShell cmdlets: 

$Domain = $env:userdnsdomain
$DomainDC = (Get-ADDomainController -Discover -DomainName $Domain).Name
Get-ADUser "$((Get-ADDomain).DomainSID)-500" -Properties Name,Enabled,Created,PasswordLastSet,LastLogonDate,ServicePrincipalName,SID -Server $DomainDC


(Visited 425 times, 1 visits today)

Sean Metcalf

I improve security for enterprises around the world working for TrustedSec & I am @PyroTek3 on Twitter.
Read the About page (top left) for information about me. :)
https://adsecurity.org/?page_id=8