Business Woman on laptop typing emails

If you run a Windows-based business in Orange County, there is one piece of technology that knows the username and password of every employee, controls access to every server, governs which printers each department can use, holds the encryption keys to your email, and ultimately decides who can touch what. Most CEOs have never thought about it directly. Most IT directors think about it constantly. And ransomware operators target it on Day 1 of nearly every attack.

That system is Active Directory. And in 2026, Microsoft Security’s threat intelligence team confirmed what most defenders already knew: in more than 78% of human-operated cyberattacks, threat actors successfully breach a domain controller. In more than 35% of cases, the domain controller itself becomes the primary device used to deploy ransomware across the network. The single most powerful management tool in a Windows environment is also the single most catastrophic point of failure when it isn’t properly secured.

This article does two things. First, it explains what Active Directory actually is and why it remains foundational to nearly every Windows-based business in Orange County. Second — and more importantly — it explains why most Active Directory environments are quietly more vulnerable than their owners realize, what attackers do once they’re in, and what real AD security looks like in 2026. Both halves matter. You can’t defend a system you don’t understand.

78%
of human-operated cyberattacks successfully breach a domain controller (Microsoft)
35%
of ransomware attacks use the domain controller itself as the primary spreader
62%
of non-error breaches involve stolen credentials, brute force, or phishing (Varonis)
4 days
median dwell time from initial compromise to ransomware encryption (Halcyon)

What Active Directory actually does

Active Directory Domain Services (AD DS) is Microsoft’s directory service — the system that stores information about every user, computer, group, printer, file share, and resource on your network, and that controls who can access what. When an employee in your Irvine office types their password into a Windows laptop in the morning, Active Directory is what verifies that password, checks which groups they belong to, and decides which network drives, applications, and printers they’re allowed to touch.

It does this through a hierarchical structure built from four building blocks. Domains are groups of objects (users, computers, devices) that share one AD database. Organizational units (OUs) sit inside domains and organize objects into logical containers — usually by department, location, or function. AD trees are multiple domains joined together in a logical hierarchy with shared trust relationships. AD forests are multiple trees grouped together, sharing schemas and configuration. Most small and mid-sized OC businesses operate with a single-domain forest. Larger organizations and ones built through acquisition often run multi-domain or multi-forest structures.

The reason AD became — and remains — the backbone of Windows business environments is that it solves a fundamentally hard problem cleanly: how do you give thousands of users access to the right resources, enforce consistent security policies, and manage all of it from one place. The five operational benefits, briefly:

  • Centralized identity and access management. Every account, every group, every permission lives in one place. Add a new hire once, remove them once, and the change propagates everywhere.
  • Single sign-on (SSO). Users authenticate once in the morning and access every resource they’re authorized for without re-entering credentials. The productivity gain is enormous; the security implications, as we’ll see, are double-edged.
  • Group Policy management. Administrators push security settings, software configurations, user environment preferences, and compliance controls across thousands of machines from a central console. Group Policy is what makes consistent security at scale even possible.
  • Scalability and redundancy. AD supports environments from 25 users to 250,000. Multiple domain controllers automatically replicate, so the failure of one doesn’t bring down authentication.
  • Integration with the Microsoft ecosystem. Exchange, SharePoint, Teams, Azure, third-party apps that support SAML or LDAP — all of them lean on AD as the authentication source of truth.

None of this is controversial. It’s why AD has been the dominant enterprise directory service for over two decades. The problem isn’t the technology. The problem is what happens when the technology becomes the attacker’s target.

Why Active Directory is the #1 target attackers go after

Think about it from the attacker’s perspective. Ransomware operators are running a business. They optimize for the action that produces the most damage per hour of effort. And in a Windows environment, the answer to “what produces the most damage per hour” is consistently the same: compromise the domain controller.

Once an attacker controls a domain controller, the entire environment becomes theirs. They can dump the NTDS.dit file and extract password hashes for every user — including domain admins. They can create new privileged accounts that look legitimate. They can elevate the permissions of existing compromised accounts. They can authenticate as anyone, including the CEO, the CFO, and the IT director. They can push ransomware to every workstation in the company using the same management infrastructure your IT team uses for legitimate software deployment. They can disable the security tools designed to stop them.

This is why the Microsoft data is so striking. In 78% of human-operated attacks — meaning ransomware operators actively running the attack rather than fire-and-forget malware — the domain controller falls. In 35% of cases, the domain controller becomes the literal device that distributes the ransomware. And the median time from initial compromise to encryption is now down to four days, per Halcyon’s 2025 data. That’s how fast it moves once attackers are inside.

The dirty secret of the industry: most AD environments have been quietly accumulating misconfigurations, stale privileged accounts, weak service account passwords, excessive group memberships, and unmonitored privilege escalations for years. The IT team that set it up in 2014 is gone. The MSP that took over in 2019 made some changes. The new IT director hasn’t done a privilege audit. The result is an AD environment with a hundred small problems, any one of which can be the foothold an attacker leverages.

Red flag: If your IT team can’t tell you — today, in writing — how many users have domain admin rights, when each of those memberships was last reviewed, and whether service accounts are using rotated, complex passwords, your AD environment is more vulnerable than you think. The default state of an AD environment that “just runs” without active security review is, increasingly, the attacker’s ideal target.

The benefits you think you have vs. the reality in most environments

The benefit AD is supposed to deliver What most environments actually have What “secured AD” looks like
Centralized identity Hundreds of stale accounts, ex-employees still active, service accounts with admin rights Quarterly access reviews, automated deprovisioning, least-privilege as default
Single sign-on One credential compromise = access to everything MFA enforced on every account, conditional access on every login
Group Policy GPOs written in 2017, never audited, with security gaps in default templates Hardened baselines, regular GPO audits, documented change management
Privileged access 20+ accounts with domain admin rights, several inactive but still enabled 2–3 dedicated admin accounts, separate from daily-use accounts, MFA + PAM
Monitoring Event logs generated but nobody reviews them; alerts silent 24/7 SOC monitoring AD-specific signals (NTDS dumps, golden tickets, etc.)
Backups DC backups on the same network as production DCs Immutable, offline, tested restoration of AD from scratch documented
Hybrid integration On-prem AD synced to Entra ID/Microsoft 365 with default settings Hardened hybrid identity, Entra ID Connect properly isolated, conditional access

The Azure AD / Entra ID question (it doesn’t replace on-prem AD)

One of the most common misconceptions in OC IT conversations: “We use Microsoft 365, so we’re on Entra ID now — we don’t need on-prem Active Directory anymore.” This is usually wrong, and the confusion is dangerous because it causes leaders to under-invest in on-prem AD security on the assumption that Microsoft 365 has somehow absorbed it.

Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity service that handles authentication for Microsoft 365, Azure resources, and third-party SaaS applications that support modern authentication protocols. It is genuinely useful — and for some smaller, fully cloud-native businesses, it’s all they need. But for the vast majority of OC businesses with any on-premises infrastructure — file servers, line-of-business applications, domain-joined workstations, on-prem printers, ERP systems, manufacturing OT, healthcare practice management software — the on-prem Active Directory is still doing the load-bearing work. Entra ID extends AD into the cloud. It does not replace it.

The hybrid configuration most OC businesses run — on-prem AD plus Entra ID synchronized through Microsoft Entra Connect — actually expands the attack surface rather than shrinking it. Now an attacker who compromises on-prem AD can potentially pivot into the cloud tenant, and vice versa. Securing one without securing the other is not security. It’s the illusion of it.

What real Active Directory security looks like in 2026

The attacker techniques are well-documented and largely automated. Kerberoasting, pass-the-hash, golden ticket attacks, DCSync, BloodHound mapping, NTDS extraction — these aren’t exotic. They’re standard plays in the attacker handbook, and the defenses against them are equally well-understood. A serious AD security program in 2026 includes, at minimum:

  • Tier 0 / Tier 1 / Tier 2 admin separation. Domain admins should never use their privileged accounts for email, browsing, or daily work. Separate accounts for separate purposes, with separate workstations where possible.
  • MFA enforced on every account, including service accounts where supported. The 62% of breaches that involve stolen credentials become dramatically harder when stolen credentials alone don’t grant access.
  • Privileged Access Management (PAM). Just-in-time elevation for admin tasks. No standing domain admin rights. Approval workflows for sensitive operations.
  • 24/7 monitoring of AD-specific signals. NTDS.dit access events, suspicious authentication patterns, group membership changes, Kerberos anomalies. These are the indicators of an attack in progress, and they need a human reviewing them in real time.
  • Hardened Group Policy baselines. CIS benchmarks, Microsoft security baselines, regular audits to detect drift from approved configurations.
  • Immutable, offline AD backups. Documented restoration procedures tested at least quarterly. If your DC backups are on the same network as your DCs, they will be encrypted with everything else.
  • Quarterly access reviews. Who has domain admin rights, who has access to sensitive OUs, which service accounts have excessive permissions. The list should shrink, not grow.
  • Integration with EDR and a real SOC. AD signals correlated with endpoint behavior. Microsoft Defender for Identity is one option among several — what matters is that something is watching, and that something is a person, not just a dashboard.

None of this is exotic. It is, however, almost never the work that a stretched internal IT team or a generalist MSP gets around to doing alongside the help desk tickets. Real cybersecurity for Orange County businesses requires a partner whose AD security work is a documented practice — not an upsell when something goes wrong.

Key takeaway: Active Directory’s strengths — centralization, scalability, single sign-on, deep integration — are also exactly what makes it the most valuable target in your environment. The benefits are real and necessary. The security work to make those benefits durable is the part most OC businesses have skipped. Doing AD without doing AD security is the equivalent of installing every smart lock in your house, then leaving the master key under the doormat.

The honest version

Active Directory is genuinely one of the great enterprise software achievements of the last 25 years. It’s why thousands of Orange County businesses can run efficiently with a single IT team managing hundreds of users across multiple sites. The benefits — centralized identity, SSO, group policy, scalable management, ecosystem integration — are not marketing fluff. They are the actual reason businesses run on Windows.

But the same properties that make AD powerful make it catastrophic when compromised. The Microsoft data is unambiguous: in nearly four out of five human-operated cyberattacks, the domain controller falls. In one out of three, it becomes the literal weapon. And the median time from initial foothold to ransomware encryption is now four days. The traditional model of “we set up AD and it just runs” doesn’t survive the 2026 threat environment.

The fix isn’t to abandon AD. It’s to actually secure it — with privileged access controls, monitoring, hardened policies, tested backups, and a real managed IT and security partner who treats Active Directory as the crown jewel it actually is. Anything less is hoping the attackers don’t notice. They have.

Is Your Active Directory Actually Secure?

Most AD environments have misconfigurations that go undetected for months — and attackers know exactly where to look. Intelecis has been hardening Active Directory environments for Orange County businesses since 2010. NSA-Accredited, with documented experience across healthcare, defense, legal, accounting, and manufacturing environments. Book a free IT security assessment and we’ll show you, in writing, exactly where your AD stands.

Request Your Free Assessment →

📞 949-266-2088 · Fullerton, CA · NSA-Accredited · Serving OC since 2010

Related reading:
Cybersecurity Services for OC Businesses ·
Managed IT Services in Orange County ·
Network Segmentation: The $50 Fix That Stops $500K Breaches ·
What Happens When Ransomware Hits a Factory — Hour by Hour ·
Request Your Free Assessment