Professor
Active Directory Intermediate

Active Directory ACL Abuse: From WriteOwner to Domain Admin

How misconfigured Access Control Lists on AD objects turn into full domain escalation paths, and how BloodHound maps the graph.

Published July 14, 2026 4 min read

Every object in Active Directory — users, groups, computers, GPOs — carries a security descriptor with a discretionary access control list (DACL). Each entry (ACE) grants a trustee some right over that object. Most of the time these rights are boring: a helpdesk group gets Reset Password on a user OU, a service account gets Write on one attribute. Abuse happens when those small, individually reasonable grants chain together into a path to Domain Admin.

Why this matters more than CVEs

There’s no patch for a misconfigured ACL. It’s a design decision made by whoever delegated rights, often years ago, often forgotten. That’s exactly why ACL abuse is one of the most consistent findings across real AD environments — it doesn’t rely on missing patches, only on accumulated delegation.

Note

BloodHound represents these relationships as directed edges in a graph. An edge like GenericAll or WriteOwner from principal A to object B means “A can eventually control B,” even if that control isn’t immediate.

The core primitives

ACE rightWhat it lets you do
GenericAllFull control — reset password, add to group, modify anything
GenericWriteWrite most attributes, including scriptPath or group membership
WriteOwnerTake ownership of the object, then grant yourself further rights
WriteDACLAdd a new ACE to the object’s DACL directly
AllExtendedRightsIncludes rights like User-Force-Change-Password
ForceChangePasswordReset a user’s password without knowing the old one

Each of these is a stepping stone. WriteOwner doesn’t give you control immediately — it lets you become the owner, which then lets you grant yourself WriteDACL, which then lets you grant yourself GenericAll. Three hops, same outcome.

Mapping the graph

A typical BloodHound collection with SharpHound produces edges you can query directly in the graph UI, or via raw Cypher against the underlying Neo4j database:

MATCH p = (u:User)-[:MemberOf|GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword*1..]->(d:Domain)
WHERE u.name CONTAINS "SVC-"
RETURN p
LIMIT 25

This looks for any path from service accounts (often over-privileged and rarely rotated) to the domain object itself. In most mid-sized environments, at least one such path exists.

Tip

Don’t only look for paths to Domain Admins group membership. Paths to GPO objects linked to the Domain Controllers OU, or to a DC’s computer object, are just as valuable and often less monitored.

A representative chain

  1. EnumerateSharpHound -c All collects sessions, ACLs, group memberships, and trust data.
  2. Find the edge — BloodHound surfaces that SVC-Backup has GenericAll on the Domain Admins group.
  3. Abuse it — add a controlled principal to the group using standard LDAP writes, or reset a member’s password if the edge is ForceChangePassword instead.
  4. Validate — confirm group membership took effect (subject to Kerberos ticket refresh / logoff-logon for the new membership to appear in a token).
# Example: adding a principal to a group over LDAP, assuming GenericAll on the group object
Add-DomainGroupMember -Identity "Domain Admins" -Members "svc-backup" -Credential $cred
Warning

Group membership changes are logged (Event ID 4728/4732) and are a common, high-fidelity detection point. In an authorized engagement, always confirm the client’s monitoring expectations before making writes — some engagements score detection, not just successful compromise.

Detection and mitigation

  • Audit DACLs regularly. Tools like BloodHound aren’t just for attackers — running the same collection defensively surfaces the identical paths before someone else finds them.
  • Alert on sensitive group changes. Event IDs 4728, 4732, and 4756 cover additions to security-enabled groups; route these to your SIEM with tighter thresholds for privileged groups.
  • Remove stale delegations. Rights granted for a project years ago rarely get revoked. A periodic ACL review against a known-good baseline catches drift.
  • Tier your admin model. If Tier 0 assets (DCs, domain admins, ADCS) never accept credentials from lower tiers, most ACL abuse chains stop before reaching anything that matters.

The underlying lesson: ACL abuse isn’t a single vulnerability to patch, it’s a property of how delegation accumulates over time. Treating it as an ongoing hygiene problem, not a one-time fix, is what actually closes the paths.

IP resolving…