Active Directory (2026): What It Is, What’s New, and the Must-Know Updates to Keep Your Business Safe

Did you know? Active Directory powers SSO and access control for apps, users, and devices in over 90% of Fortune 1000 companies. 

And if you’re reading this, there’s a strong chance it’s the backbone of your small business too.  

Here's what most of your peers don’t realize: The same tech managing employee logins, file permissions, and app access is also the #1 target of nation state actors. 

And in 2024, we saw exactly why. 

Why is Active Directory such a popular target for attackers? 

The answer is simple: weak AD password security enables privileged access to all resources within a business ecosystem. 

Which makes it the perfect target for ransomware. 

In 2024, the Change Healthcare attack became the most expensive in U.S. history, with the total cyberattack impact between $2.3 billion and $2.45 billion.  

This included $22 million Change reportedly paid the Russian ransomware group ALPHV BlackCat – in exchange for a promise to destroy the stolen healthcare data.  

All to no avail: BlackCat absconded with all the money instead of paying their affiliates, and the stolen patient data was offered for sale by a competing ransomware affiliate group called RansomHub. 

The attack’s entry point? A Citrix remote access server without multi factor authentication. 

Once inside, the attackers pivoted to Active Directory, escalated privileges, and unleashed ransomware that crippled healthcare operations nationwide for months. 

According to the American Hospital Association, many hospitals were forced to take out private loans for care team salaries, medication, supplies, and critical physical security, dietary, and environmental services. 

If you’re running a small business, you may be thinking, “We’re not Change Healthcare. We don’t process billions of transactions. Why would attackers target us?” 

That’s exactly what attackers hope you think.  

And the data bears this out:  

• 88% of all ransomware incidents involve small and midsize businesses 
• The main target in Q4 2024 was companies with 101-1,000 employees (41.5%) 
• The next most-targeted group was companies with 11-100 employees (~30% of attacks) 

If you use Active Directory, this is your roadmap to understanding how combining the Microsoft Enterprise Model with PIM (privileged identity management), PAM (privileged access management), and MFA play a critical role in protecting your business. 

What is Active Directory (AD)? 

Definition and purpose of Active Directory 

Active Directory (AD) is Microsoft’s directory service for domain networks.  

Basically, it’s a central platform for authenticating and authorizing users to access network resources such as users, devices, applications, and services.  

Microsoft premiered AD in 1999 with its Windows 2000 Server edition as an on-prem identity and access management service for businesses.    

Originally, AD was based on the rather complex, resource-intensive X.500 standard.  

In 1993, however, the International Telecommunication Union (ITU) created a “lightweight” version of X.500 called LDAP (Lightweight Directory Access Protocol). 

Unlike X.500, LDAP is based on the TCP/IP protocol. This means LDAP uses the TCP transport protocol to provide directory services over IP networks. 

For example, you can make LDAP queries in AD to find the location of a server or the email address of a department manager.   

LDAP is just one way to connect to Active Directory.  

Other protocols you can use include Kerberos and encrypted LDAP (LDAPS). Some legacy networks may still use NTLM, although this isn’t recommended. 

In 2026, Microsoft is recommending a structured, phased approach to disabling NTLM authentication altogether. 

Here's why: Not only does NTLM not support MFA, it’s also susceptible to pass-the-hash attacks, which exploit a weakness in NTLM versions 1 and 2. 

In Active Directory networks that use NTLM, passwords are stored as NTLM hashes and accepted as valid authentication tokens.  

If an attacker manages to steal those password hashes, they can authenticate without cracking those hashes (uncovering their clear text versions). 

To secure Active Directory properly, it’s important to understand its architecture. 

What are the key components of Active Directory? 

The key components of Active Directory include domains, organizational units (OU), objects, domain controllers, group policy objects (GPO), and the forest (top-level container).  

For newbies: If you’re setting up Active Directory for the first time: 

For a hybrid setup

• You’ll need Windows Server to run your on-prem AD DS (Active Directory Domain Services).  
• Head to the Windows Server Evaluation Center to test before you purchase. 
• If your business ecosystem includes SaaS apps, Microsoft 365 provides access to Entra ID (formerly Azure AD) for cloud identity management. 
• To sync both your on-prem AD DS and cloud Entra ID, you’ll need Microsoft Entra Connect (formerly Azure AD Connect).  
• New for 2026 and beyond: While Entra Connect is still required for many hybrid setups, Microsoft’s own documentation explicitly states that Entra Cloud Sync will be the future for hybrid identity sync. 

For cloud setup

• If you’re an online-only business, you only need Entra ID. 

Active Directory uses a hierarchical structure to organize information. Its key components include: 

• Active Directory Domain Services (AD DS): This is the main component in AD that organizes network elements into a hierarchical structure. AD DS manages communications between users and domains, including logins and directory searches. 
• Objects: These are basic units in AD, such as users, devices, and applications. Access control lists (ACL) are stored with objects, allowing you to manage permissions efficiently. Group policy objects (GPO) are specific types of objects that contain configuration settings. 
• Containers: These are objects that can hold other objects like domains and Organizational Units (OU). 
• Domain: Many people are curious about the link between a domain and Active Directory, prompting them to ask, “What is Active Directory versus a domain?” In AD, a domain is a collection of objects that share the same AD database. Domains are connected by “trusts.” 

A parent domain can have one or more child domains. The latter inherits the namespace of the parent domain.  

 

For example, a parent domain like “google.com” can have child domains like “sales. google.com” and “hr.google.com.”  

 

Meanwhile, an AD domain controller processes authentication requests and controls access to AD resources. Domain controllers are Tier 0 assets, the most highly privileged assets in AD, and a key target of attackers. 

• Trees: Multiple domains form a tree, and multiple trees form a forest. 
• Forest: An AD Forest consists of multiple trees that share a common schema, root (configuration), and global catalog. Forests are the top-level containers in AD, providing a security framework for multiple trees across geographical boundaries.  

For example, a multinational soda beverage corporation sets up a forest with trees in North America, Europe, Asia, and Africa.  

 

Trust relationships are established between trees so that users in Africa can access resources in Asia, North America, and Europe. The hierarchy would look like this: 

• Organizational Units (OU): These are containers within a domain that consists of users, devices, and groups. It exists within a single domain, unlike forests that can contain multiple domains.  

OUs are the smallest containers in AD. They make it easier to manage objects and apply group policies within one domain.  

 

For example, the above soda corporation might create OUs for the HR, sales, marketing, and IT departments in countries like Canada, France, Japan, or South Africa, each having their own policies for managing users and resources.  

• Schema: This is the blueprint for data storage. Schema defines every object and attribute that can be stored in AD. 
• Global Catalog (GC): This is a catalog of all objects in a forest. You can perform forest-wide searches using the Global Catalog.

What are the benefits of using Active Directory (AD)? 

AD centralizes user access controls across your Windows network and offers seven (7) key benefits: 

1. Enhanced security and access control: AD enables role-based access control (RBAC) according to least privilege principles. Meanwhile, new security enhancements to the authentication protocols Kerberos and LDAP provide strong data confidentiality.
2. High availability and redundancy: AD’s backup and recovery features protect against data loss, ensuring business continuity in the event of a breach.
3. Scalability: AD’s forest, domain, and organizational unit structure supports the addition of more users as your organization grows.
4. Group policy management: AD administrators can use Group Policy Objects (GPO) to securely manage security and policy settings for all users in AD.
5. Centralized management: AD provides a single interface for managing users, devices, and resources. This greatly reduces administrative burdens.
6. Hybrid identity management and federated SSO: Microsoft Entra Connect integrates on-premises AD with cloud-based Entra ID to enable hybrid identity management and federated SSO.
7. Integration with other popular Microsoft services: AD integrates with other products in the Microsoft ecosystem, such as Microsoft 365, SharePoint, and Exchange.  

However - and this is critical – these benefits become liabilities without the proper security architecture. 

In other words, centralized authentication = centralized vulnerability. 

This is exactly why Microsoft developed the Enterprise Access Model as a tiered model for securing privileged access in AD. 

How Active Directory (AD) works 

How does the Kerberos authentication and authorization process work in Active Directory? 

AD uses the Kerberos protocol to authenticate users. Kerberos is a ticket-based authentication system that verifies user identities without transmitting passwords across the network. 

The protocol, named after Cerberus, the three-headed canine who guarded the gates of Hades, consists of three (3) elements: 

• The client (the principal or identity you use to log on to Kerberos) 
• The resource (the asset or service the client wants to reach) 
• The Key Distribution Center (KDC) 

And the KDC is made up of three (3) elements (notice the pattern of “3’s”?): 

• Kerberos database. Here, you’ll find information about users and the systems and services they can authenticate to. 
• Kerberos Authentication Server (AS). Principals use this Kerberos service to get a ticket-granting ticket (TGT) for authentication, also known as an authentication ticket. 
• Kerberos Ticket Granting Server (TGS). This Kerberos service accepts the TGT so that clients can access their resources. 

Here's how the Kerberos authentication and authorization process works

• When a user (let’s call him Odysseus to keep the Greek mythology theme) joins the network, his system sends an authentication request to the KDC (Kerberos Authentication Server). 
• Upon verification of his credentials, the KDC Authentication Server issues a Ticket Granting Ticket (TGT) to Odysseus’ machine.  
• This encrypted TGT proves Odysseus has authenticated successfully. He can now use this TGT to request access to the desired network resource. 
• So, his workstation sends the TGT to the domain controller’s Ticket Granting Server (TGS). This is Odysseus’ Ticket Granting Server Request. 
• If everything checks out, the TGS validates the TGT and issues a Service Ticket (yes, another ticket), a session key, and the name of the service to which access has been granted. 
• Now, Odysseus can send an Application Server Request to the application server he’s trying to reach. 
• In response, he gets an Application Server Reply granting access to the requested resource (finally). 

This terribly complicated process is apparently the most secure way to ensure only legitimate users can access resources. 

But as secure as Kerberos is, decades of probing have birthed ever more creative attacks, as you’ll see below. 

What are the top Active Directory attack techniques in 2026? 

The top Active Directory attack techniques in 2026 are kerberoasting, AS-REP roasting, Golden Tickets, SyncJacking, DCSync attacks, Silver Tickets, and GPO attacks. 

• Kerberoasting. This is where attackers steal password hashes and then crack them to gain elevated privileges. 
• AS-REP Roasting. Here, attackers target service accounts that don’t require Kerberos pre-authentication. First, they send a request to the Authentication Server and wait for the Authentication Server Reply ticket, which contains the password hash. Then, they use password cracking tools to uncover the cleartext password.  
• Golden Tickets. In this attack, threat actors forge unlimited-access Kerberos tickets to escalate privileges and make lateral movements. A successful Golden Ticket signifies the complete compromise of an AD domain. 
• SyncJacking. This is a privilege escalation vulnerability that could allow attackers to exploit “hard matching” and take over any synchronized Entra ID account, including Global Admin accounts. 

Microsoft has already announced platform-level security hardening in Entra Connect. So, you’ll want to upgrade to Entra Connect version 2.5.79.0 by September 30, 2026, to avoid synchronization failures. 

• DCSync attacks. This lets attackers impersonate a domain controller and retrieve all password hashes and objects such as the KRBTGT (Kerberos Ticket-Granting-Ticket) account. With the KRBTGT, they can do almost anything, including forging their own TGTs. Once they can DCSync, they can almost always create Golden Tickets at will to get unlimited, long-term access. 
• Silver Tickets. This is another forged authentication ticket attack, which provides more limited access than Golden Tickets. 
• GPO (Group Policy Objects) attacks. Nation state groups like Lockbit and Blackcat abuse GPO access to deploy ransomware, disable security software, and create backdoors. And as Microsoft ends support for Advanced Group Policy Management (AGPM) in April 2026, businesses will become more vulnerable to GPO-based attacks. 

This is why Microsoft’s tiered Enterprise Access Model is critical: It ensures admin credentials from higher tiers (Tier 0) are never exposed to lower-tier systems where they can be stolen. 

According to Microsoft, 98% of customers hit by cyberattacks had “no privilege isolation in Active Directory via a tiered model.” 

Essentially, the tiered model is what makes the security measures we discuss below, like PIM, PAM, and MFA effective. 

What are the best practices for Active Directory security? 

The best practices for Active Directory security are strong password policies, RBAC, PAM, PIM, and continuous monitoring. 

Strong password policies 

A strong password policy can stop credential stealing and brute-force attacks in their tracks. To that end, you’ll want to: 

• Follow NIST recommendations in SP 800-63B to implement a strong password policy in AD. Prioritize length: password should be at least 15 characters 
• Configure a fine-grained password policy in AD with this step-by-step Microsoft guide. 
• Configure an account lock-out policy after several failed login attempts. 
• Use Group Managed Service Accounts (gMSA) that automatically rotate passwords to 120-character random values. 
• To prevent Golden Ticket attacks, change the KRBTGT password every 12 months, or when the domain has been compromised or suspected to have been compromised. 

Role-based access control (RBAC) 

Role-based access control (RBAC) assigns permissions based on a hierarchical role structure, minimizing the risk of unauthorized access to privileged accounts. 

You can use either Active Directory Users and Computers (ADUC) or Active Directory Administrative Center (ADAC) to set up role-based access control (RBAC) in AD. 

Here are the key steps for implementing RBAC in AD: 

• Determine the roles for your business and define the permissions you’ll allow for each role. 
• Go to the Start menu, type in Active Directory Users and Computers, and click to select. 
• Open Active Directory Users and Computers (ADUC) and create security groups for each role. 
• Next, assign users to the security groups corresponding to their roles. 
• Finally, configure access control policies using Active Directory Security Editor (ADSE) or the Delegation of Control Wizard. Both ADSE and Delegation of Control Wizard are integrated into ADUC. 
• ADSE uses security identifiers (SID) to manage granular permissions and access control, while the Delegation of Wizard focuses on task-based permissions, like giving your IT staff the power to delete accounts. 

Next, we’ll discuss privileged access management and its critical role in securing Active Directory.  

Privileged Access Management (PAM) 

At its heart, PAM enforces five (5) key functions in AD: 

• The principle of least privilege, where users are given the minimum level of access necessary to complete tasks 
• Role-based access control (RBAC), where users are authorized to use only those resources associated with their roles 
• Just-in-time access, where users are granted a set period to complete tasks with elevated permissions 
• Threat detection and response, where privileged access is revoked, accounts are isolated, and mitigation efforts are triggered during an attack 
• Auditing and compliance, where all privileged actions are logged and audited to ensure compliance with security standards 

To implement privileged account management (PAM), you’ll want to: 

• Identify which accounts are privileged or have elevated permissions 
• Require administrators to use specially configured privileged access workstations (PAW) for administrative tasks. PAWs are the cornerstone of Tier 0 security because they provide a dedicated, trusted platform for privileged operations. 
• Implement MFA to activate privileged roles. 
• Implement time-bound access with start and end dates for temporary elevated permissions. 

With AD, there are several ways you can set up PAM: 

• On-prem only: Set up MIM (Microsoft Identity Manager) privileged access management. MIM PAM, however, is ONLY recommended for isolated, non‑internet‑connected AD environments. It’s important to note that MIM support has been extended from January 13, 2026, to January 9, 2029. Not ready to transition from MIM? Service Pack 3 (SP3) buys you time and is slated for release in 2026 (TBD). 
• Hybrid: Layer cloud-based Entra PIM atop MIM PAM per Microsoft guidance. As MIM end-of-support looms, Microsoft is leaning hard towards Microsoft Entra Cloud Sync for syncing on-prem AD to Entra ID.   
• Online only: Set up pure Entra PIM, simplest for SaaS-focused businesses 

Privileged Identity Management (PIM) 

Microsoft Entra Privileged Identity Management (PIM) lets you limit standing admin access to privileged roles, identify who has access, and review privileged access. Key PIM capabilities include: 

• Just-in-time (JIT) access. If a user is eligible for a role, they’ll only activate the role to perform privileged tasks. JIT access includes the ability to set start and end times for each type of assignment.  
• Strict approval workflows. When roles near their expiration, PIM can extend or renew the roles only with approval from a Global Administrator or Privileged Role Administrator. 
• Zero permanently active assignments. Microsoft recommends keeping zero permanently active assignments for roles other than your emergency access accounts.  
• Limited emergency access. Microsoft recommends two cloud-only emergency access accounts permanently assigned to the Global Administrator role. These accounts are limited to "break glass" scenarios ONLY, where normal accounts can't be used, or all other administrators are somehow locked out. 

Continuous monitoring 

Event log monitoring and alerting is critical to a secure Active Directory platform. 

While 66% of businesses have sufficient evidence in their logs to alert them of a breach, few are privy to them because of a lack of active monitoring. 

In general, you’ll want to monitor and audit the following activities within AD: 

1. logon/logoff events 
2. policy changes 
3. directory service changes 
4. account management 
5. Group Policy Object changes 
6. Kerberos service ticket operations 

You can leverage two key technologies to monitor and audit AD for a robust, comprehensive security posture: 

• Security Information and Event Management (SIEM) tools like Splunk and Log Sentinel to collect and analyze security incidents 
• Extended Detection and Response (XDR) tools like Microsoft Defender XDR to detect anomalies and automate incident response

Securing Active Directory with LastPass 

Implementing multi-factor authentication (MFA) 

As credential theft underpins many cyberattacks against SMBs, securing your systems is more important than ever. 

If your business uses Active Directory, you can integrate Active Directory Federation Services or Entra ID with a password manager like LastPass to enable MFA and federated SSO (Single Sign-On).  

In doing so, your employees use just ONE set of credentials to access resources across multiple platforms, promoting seamless collaboration between all stakeholders in your supply chain.  

Here's how it works: 

1. Active Directory serves as the central Identity Provider (IdP). 
2. Active Directory Federation Services (AD FS) extends the AD infrastructure to enable federated IAM and PAM.  
3. LastPass integrates with ADFS to provide secure credential storage and user access management. 
4. When a user attempts to access a federated resource through LastPass: 

• LastPass redirects the user to AD FS for authentication.  
• AD FS performs primary authentication against Active Directory. 
• If the credentials are valid, AD FS can prompt for MFA if the policy requires it. 
• If MFA is successful, AD FS issues a security token to LastPass, and the user is granted entry.  

AD FS makes sense if: 

• You have regulatory requirements preventing cloud authentication 
• You’re a large enterprise with a dedicated security team 

For smaller teams, it’s simpler, more cost-effective, and more secure to: 

• Sync your on-prem AD to Entra ID via Microsoft Entra Connect Sync or Entra Cloud Sync. To see if Microsoft’s new Entra Cloud Sync is right for you, go here to use Microsoft’s sync evaluation tool. 
• Configure SAML federation between Entra ID and LastPass 

This allows your employees to authenticate to Entra ID and access LastPass with their AD credentials. 

With LastPass, you get: 

• Uniquely generated passwords so password reuse doesn’t compromise your Tier 0 assets 
• Seamless provisioning and deprovisioning - disabling AD access also removes LastPass access 
• Phishing resistant FIDO2 MFA to complement the tiered protections in the Microsoft Enterprise Access Model  

So, the complete security stack to protect your Active Directory is: 

• Enterprise Access Model to secure your AD infrastructure through tier isolation 
• PIM/PAM to get just-in-time (JIT) privileged access 
• LastPass to block credential-based attacks 

Together, they create the defense-in-depth security you need to protect your business in 2026 and beyond. 

If you’re ready to experience what effortless security looks like, see how Forsters LLP, a leading London law firm with over 500 employees and a growing hybrid workforce is securing legal operations with LastPass. 

Then, try LastPass for yourself with a free Business Max trial (no credit card required). 

What’s new with RC4 in Active Directory: Critical 2026 updates 

It’s no secret that Active Directory is a favorite target of threat actors.  

As mentioned, this is because Active Directory controls access to virtually all network resources. Essentially, hackers target AD because it “holds the keys to the kingdom.” 

Kerberoasting, especially, continues to occur with frightening regularity.  

IBM’s 2024 X-Force Threat Intelligence Index reports that kerberoasting has increased by 100%. 

Here’s why:  

• Businesses continue to use plaintext passwords in their enterprise environments.  
• More than 95% don’t implement their own password security policies, especially for automated service accounts. 
• Up to 85% of privileged permissions aren’t revoked after maintenance tasks are completed.  
• Manually configured service accounts often have the “password never expires” flag enabled. These passwords follow old security practices and are much easier to crack. 

In Windows Server 2025, Microsoft includes new security enhancements to address attacks like kerberoasting, AS-REP roasting, Golden Tickets, and DCSync on AD service accounts:  

• LDAP encryption by default and LDAP support for TLS 1.3 
• PKNIT (Kerberos Public Key Cryptography for Initial Authentication in Kerberos) support for cryptographic agility 
• SHA-256 certificate retrieval to secure initial authentication and raise the bar for forged tickets 

But the most significant change is Microsoft’s deprecation of RC4 encryption for Kerberos authentication. Here’s the timeline: 

January 2026: Audit Mode

Windows updates released on and after January 13, 2026, contain protections for a vulnerability that allows attackers to obtain service tickets with weak encryption such as RC4. 

To protect your AD environment and prevent outages, Microsoft recommends: 

• Updating all AD domain controllers. Windows updates released January 13, 2026, and later introduce the first phase of protections to address a Kerberos information disclosure vulnerability (CVE‑2026‑20833)
• Monitoring the System event log for any of the 9 Audit Events logged on Windows Server 2012 and newer domain controllers 
• Mitigating KDCSVC events logged in the System event log that prevents the manual or programmatic enablement of RC4 
• Enabling Enforcement Mode to address the vulnerabilities in CVE-2026-20833  

April 2026: Enforcement Mode

Domain controllers will default to AES-SHA1 for Kerberos encryption i.e. domain controllers will issue AES SHA-1 tickets by default. RC4 will no longer be a fallback. 

RC-4 dependent configurations that haven’t been addressed will begin failing authentication in this phase. 

July 2026 (Full RC4 disablement)

Audit Mode will be removed completely. Enforcement Mode will be the only option, which means all systems must be RC4-compliant, or authentication will fail. 

For more on the RC4 deprecation process, refer to this Microsoft Directory Service Team FAQ. 

Sources 

Australian Signals Directorate: Detecting and mitigating Active Directory compromises

The Hacker News: Active Directory under siege: Why critical infrastructure needs stronger security

Semperis: Hospital cyberattacks highlight importance of Active Directory security

American Hospital Association: Change Healthcare cyberattack underscores urgent need to strengthen cyber preparedness for individual health care organizations and as a field

Microsoft: Overview of Active Directory Domain Services

Strata.io: Active Directory

The Hacker News: Securing Tier 0. A history of escalating protection

Microsoft: Protecting Tier 0 the modern way

Microsoft: How to manage Kerberos KDC usage of RC4 for service account ticket issuance changes related to CVE-2026-20833

Microsoft: What is going on with RC4 in Kerberos?

Microsoft: Windows message center

Finding passwords in SYSVOL & exploiting Group Policy Preferences