I Need IT Support Now
Managed Service Provider - Cybersecurity
Shane

CinchOps Windows Server 2025 Security Advisory: BadSuccessor Threatens Active Directory Accounts

Critical Windows Server 2025 Flaw Enables Complete Active Directory Takeover

Active Directory Alert
BadSuccessor Lets a Low-Level Account Seize Domain Admin. Here Is How the Windows Server 2025 Attack Works and How to Stop It.

One overlooked permission in Active Directory is all an attacker needs. If your Houston business runs a Windows Server 2025 domain controller, the dMSA feature is already exposed by default.

TL;DR
BadSuccessor is a privilege-escalation technique in Windows Server 2025 that abuses the delegated Managed Service Account (dMSA) feature. Any user who can create objects in an organizational unit can crown a new account the "successor" to a Domain Admin and inherit its access - no group changes, no alarms. Akamai found 91% of tested domains had non-admin users able to do it. Microsoft rated it moderate and has not shipped a patch, so the fix is yours: lock down who can create dMSAs, strip unneeded CreateChild rights, and monitor for it.

BadSuccessor is dangerous precisely because it does not look like an attack - it looks like a routine account migration, and it is enabled by default.

Active Directory is the master key to most Houston small-business networks: it decides who logs in, who reaches which files, and who holds the keys to everything. BadSuccessor targets that master key. It is not a virus and not a stolen password. It is an attacker using a legitimate Windows Server 2025 feature exactly as built, to promote a throwaway account into a Domain Admin. Here is what the technique is, the four steps that make it work, whether you are exposed, and the specific settings that shut it down.

The uncomfortable part: you are exposed even if you have never created a single dMSA. Adding one Windows Server 2025 domain controller turns the feature on for the whole domain.

What Is the BadSuccessor Vulnerability?

A design flaw in how Windows Server 2025 hands off privileges between accounts.

BadSuccessor is a privilege-escalation flaw in the Windows Server 2025 delegated Managed Service Account (dMSA) feature that lets an attacker inherit any account's access, including a Domain Admin's.

Microsoft added delegated Managed Service Accounts in Windows Server 2025 to fix a real problem: they let organizations retire fragile legacy service accounts and replace them with machine accounts that carry managed, fully randomized keys, which shuts down Kerberoasting. The trouble is in the migration path. The system decides which old account a dMSA is "succeeding" by reading a single linked attribute, and it does not verify that the migration was ever authorized. Set the link, flip a status flag, and the Key Distribution Center hands the new account the old account's privileges - no questions asked.

The whole abuse hangs on two attributes: msDS-ManagedAccountPrecededByLink, which names the account being succeeded, and msDS-DelegatedMSAState, which says the migration is complete. Write both and the domain believes a legitimate handoff happened. That is the entire trick.

How Does a BadSuccessor Attack Work?

Four steps, minimal skill, and nothing that trips a traditional privilege-escalation alert.

An attacker creates a new dMSA, links it to a high-value target, marks the migration complete, then requests a Kerberos ticket that inherits the target's full access.

  • Create a dMSA in the wrong place. The attacker makes a new delegated Managed Service Account inside an organizational unit where they hold "Create all child objects" (CreateChild) permission. No admin rights required.
  • Name the victim. They set msDS-ManagedAccountPrecededByLink to point at a high-value account - up to and including a Domain Admin.
  • Fake the migration. They set msDS-DelegatedMSAState to 2, which tells the domain the migration finished successfully.
  • Cash in the ticket. Using a tool like Rubeus, they request authentication tickets for the dMSA. The Key Distribution Center issues tickets carrying every privilege of the linked target - and can even hand over the target's encryption keys, so the attacker can log in directly as that user.

What makes this so quiet is what it does not do. No group membership is changed, no existing account is elevated, and none of the classic "someone was just added to Domain Admins" alerts fire. Akamai's own summary puts it plainly: the KDC never questions the bloodline - if the link is there, the privileges are granted.

THE BADSUCCESSOR ATTACK CHAIN 1 · CREATE new dMSA in an OU the attacker can write to (CreateChild, no admin) 2 · LINK point PrecededByLink at a Domain Admin 3 · FAKE MIGRATION set DelegatedMSAState to 2 (migration done) 4 · INHERIT request a Kerberos ticket = Domain Admin access CinchOps · cinchops.com
The four-step BadSuccessor chain: two attribute writes turn a throwaway account into a Domain Admin.
Full BadSuccessor attack flow diagram showing dMSA creation, attribute manipulation, and ticket inheritance
Full attack flow, showing all steps needed to have a BadSuccessor. Source: Akamai.

Is Your Active Directory Exposed to BadSuccessor?

If you run any Windows Server 2025 domain controller, assume yes until you have checked.

Akamai found that in 91% of the environments it examined, users outside the Domain Admins group already held the permissions needed to run BadSuccessor.

The reason that number is so high is mundane: permissions accrete. In 35 years around Active Directory, the pattern we see over and over with Houston small businesses is a single domain that has quietly collected years of "just give them access to that OU" decisions through staff turnover, a departed IT vendor, and one-off projects nobody documented. That sprawl of CreateChild rights is exactly the foothold BadSuccessor needs. You are most likely exposed if any of these are true:

  • You added or upgraded to a Windows Server 2025 domain controller. The dMSA feature ships enabled, so the abuse path exists domain-wide even if you never touched dMSAs.
  • Regular users can create objects in an organizational unit. Delegated helpdesk rights, self-service OUs, and old delegation from a prior admin all count.
  • Legacy service accounts were never cleaned up. Old, over-permissioned accounts are prime targets to succeed.
  • Nobody is watching AD object creation. If dMSA creation and attribute changes are not logged, the attack leaves no trace you would notice.

How Do You Defend Against BadSuccessor?

There is no patch yet - Microsoft rated it moderate - so defense is configuration and monitoring you control.

Because no official fix exists, the practical defense is to control who can create dMSAs, remove permissions nobody needs, and watch for the specific events the attack generates.

  • Restrict who can create dMSAs. Limit the ability to create delegated Managed Service Accounts to a small set of trusted administrators, and confirm no one else in the domain holds it.
  • Find and strip stray CreateChild rights. Identify every principal that can create objects in an OU and remove "Create all child objects" from users who have no legitimate need. Akamai published a PowerShell script that maps exactly who can create dMSAs and which OUs are affected - run it.
  • Log dMSA creation and attribute writes. Configure SACLs to record creation of new msDS-DelegatedManagedServiceAccount objects, watch for Event ID 5137, and alert on any change to msDS-ManagedAccountPrecededByLink.
  • Watch the tickets. Track Ticket Granting Tickets issued for dMSAs that include the KERB-DMSA-KEY-PACKAGE structure, and flag unusual authentication tied to newly created dMSAs.

Not Sure Who Can Create a dMSA in Your Domain?

CinchOps audits your Active Directory for the exact CreateChild permissions BadSuccessor abuses, strips what nobody needs, and turns on the monitoring that catches it.

Talk to CinchOps
100% Free

Know Your Business Security Score

Get a FREE comprehensive security assessment for your Houston area business. Understand vulnerabilities across your network, applications, DNS, and more.

Get Your Free Assessment

BadSuccessor is scary because it is boring. There is no malware to catch and no password to steal - just an attacker filling in two fields the way the feature was designed to allow. If you are not watching who can create accounts in your OUs, you would never know it happened.
Shane Stevens, CEO, CinchOps - LinkedIn

Active Directory Hardening for Windows Server 2025

CinchOps audits and locks down the Active Directory permissions attacks like BadSuccessor depend on - CreateChild delegation, service-account hygiene, and dMSA controls - and adds the monitoring to catch abuse in real time. It is part of our cybersecurity and managed IT services.

Explore CinchOps cybersecurity →

How CinchOps Helps Secure Your Business

CinchOps is a managed IT services provider based in Katy, Texas, serving small and mid-sized businesses across the Houston metro area, with the Active Directory expertise to close design-level flaws like BadSuccessor.

CinchOps specializes in cybersecurity, network security, managed IT support, VoIP, and SD-WAN for businesses with 10-200 employees. For a threat that has no patch, the response is hands-on work in your domain, and it is exactly the kind of work we do:

  • Active Directory risk assessment. We map who can create objects and dMSAs across your domain and prioritize the permissions worth removing first.
  • Permission hardening. We strip unneeded CreateChild rights and tighten who can perform account migrations.
  • Detection and monitoring. We turn on SACL logging, Event ID 5137 alerts, and dMSA ticket monitoring so an attempt is caught, not discovered months later.
  • Service-account hygiene. We clean up legacy accounts and apply least-privilege and zero-trust principles across your environment.

You should not have to wait on a vendor's severity rating to protect your own domain. If your business runs Windows Server 2025 anywhere in Houston or Katy, get the CreateChild audit done now - talk to CinchOps and we will tell you today whether BadSuccessor is a live risk in your Active Directory.

Frequently Asked Questions

What is the BadSuccessor vulnerability?

BadSuccessor is a privilege-escalation technique in Windows Server 2025 that abuses the delegated Managed Service Account (dMSA) feature. A user who can create objects in an organizational unit can link a new dMSA to a Domain Admin and inherit that account's full access, without changing any group membership.

Is there a patch for BadSuccessor?

Not yet. Microsoft assessed BadSuccessor as moderate severity and said it does not currently meet the bar for immediate servicing, a call Akamai's researchers disagree with. Until a fix ships, defense means restricting who can create dMSAs, removing stray CreateChild permissions, and monitoring for the attack.

Am I affected if I never set up dMSAs?

Yes, likely. The dMSA feature is enabled by default on any domain that has at least one Windows Server 2025 domain controller. Adding a single 2025 DC exposes the whole domain, whether or not you have ever created a delegated Managed Service Account yourself.

How do I tell if my domain is exposed?

Check whether any Windows Server 2025 domain controller exists, then audit which non-admin users can create objects in your organizational units. Akamai released a PowerShell script that lists exactly which identities can create dMSAs and which OUs are affected - that inventory is the fastest way to know.

How was BadSuccessor discovered?

Akamai researcher Yuval Gordon found the flaw and reported it to Microsoft through MSRC on April 1, 2025. It is a design flaw in Microsoft's dMSA migration logic, not the work of an outside attacker, which is why it works with default settings.

Discover More

Sources

Take Your IT to the Next Level!

Book A Consultation for a Free Managed IT Quote

281-269-6506