Reference: Remediation resources

Before making any changes to Active Directory, be sure that you understand the potential repercussions.

As a best practice, changes to Active Directory should be tested in a lab or staging environment before you make the change in a production environment.

Failure to adequately test changes before implementation in production can potentially cause loss of control or access to business critical assets.

Use the data that you gather from Impact to identify the users, groups, and endpoints with the highest potential impact in your organization, considering the following guidelines:

  • Analyze both inbound and outbound potential lateral movement:
    • An asset with a high potential inbound impact might be easily compromised due to the variety of paths that can be used to reach this asset. Examine any business critical assets with a high inbound impact to determine where access can be reduced.
    • An asset with a high potential outbound impact can be used to compromise other assets in your environment. Examine any assets with a high outbound impact and minimize access to other assets where possible.
  • A complex Shortest Path to reach a business critical asset does not indicate that the asset is safe from attack.

    Although the Shortest Path for an asset might appear complex, sophisticated attackers often automate path traversal. Complex paths can be traversed quickly using automation.

  • Users with a high potential outbound impact are one successful phishing attack away from an attacker potentially reaching the assets to which they have administrative control. Limit users to the administrative access that they need to perform their work.

Where possible, reduce privileges to implement a least-privilege model for your Active Directory environment. For more information, see Microsoft: Implementing Least-Privilege Administrative Models.