Active Directory (AD) provides directory-based, identity-related services to the enterprise. This includes handling user accounts and passwords, along with assignment and enforcement of security and group policies.
Active Directory allows for delegations, assigning certain administrative rights -- such as the right to reset user passwords or to create or modify groups -- to regular users. Delegations can be hard to report or remove, so it's easy to forget or to overlook delegated authority once it's given. Delegations assigned to malicious users can expose the business to serious risks. Review them often.
Perform a careful assessment of all delegations on each domain and organizational unit to secure Active Directory. Identify each delegation, consider its implications and remove it if it's questionable, unnecessary or inappropriate. This need not prohibit operations; for example, let a user reset a password, then simply remove their AD delegation after the reset.
The release of Windows Server 2016 includes several updates for securing Active Directory. Privileged access management (PAM) adds security provisions so organizations can limit privileged access within the AD environment. PAM adds a bastion AD forest for privileged isolation, new workflows to request and approve privileges, privilege expirations and new monitoring features.