BadSuccessor: how an OU write becomes Tier-0 in Server 2025
On a Server 2025 domain, create rights over one OU let an attacker make a dMSA the successor of a Tier-0 account and inherit its privileges. The fix is in the link, not a password.
Windows Server 2025 added delegated Managed Service Accounts so you can migrate a service account cleanly. The migration link tells Active Directory which account a dMSA succeeds, and AD honors it by handing over the predecessor’s privileges.
How the attack works
An attacker who holds only create and write permission over an organizational unit creates a delegated Managed Service Account in it. They then set its migration attributes: the msDS-ManagedAccountPrecededByLink to point at a Tier-0 account, and the delegated state attribute to the migrated value. Active Directory now treats the dMSA as the rightful successor of the privileged account. When the dMSA authenticates, the KDC builds a ticket whose PAC inherits the target’s group SIDs, and the dMSA gains use of the target’s keys, then performs directory writes reserved for domain admins. No password reset or group edit is needed, so it looks like a benign account creation. In ATT&CK terms this is T1098, Account Manipulation, paired with T1134, Access Token Manipulation.
Why it works
This is an over delegation problem. Anyone who can create a dMSA or holds create and write on the OU that contains it can stage a successor link to a privileged account. The privilege lives in the migration link, not in any group membership you can simply remove.
How to fix it
The scenario teaches that a password reset on the Tier-0 account does nothing, because a completed migration relationship is independent of the source account’s password. Clear the msDS-ManagedAccountPrecededByLink and the migrated state on the dMSA to break the inheritance, disable the dMSA, and remove create and write rights on the OU so it cannot be staged again. For the durable fix, audit who can create or edit dMSA objects, treat dMSA capable OUs as Tier-0 adjacent, and alert on any write to the PrecededByLink attribute that targets a privileged account.
Practice it
We built this as a GraphLattice Range scenario so administrators can rehearse severing the migration link and tightening OU delegation before BadSuccessor is staged.