Hi! Basically, default settings of Domain Controllers are not hardened. Every DC has by default the “Default Domain Controllers Policy” in place, but this GPO creates different escalation paths to Domain Admin if you have any members in Backup Operators or Server Operators for example. They can become Domain Admin. Start with replacing the “Default …