Built-In Policies Reference
IdentityCenter ships with a comprehensive set of built-in policies that detect common security, compliance, and governance issues in your Active Directory environment. This article is a complete reference for every built-in policy.
About Built-In Policies
Built-in policies are pre-configured and ready to use immediately after synchronization. They differ from custom policies in several ways:
| Characteristic |
Built-In Policies |
Custom Policies |
| Deletable |
No (protected) |
Yes |
| Customizable |
Yes (thresholds, severity, actions) |
Fully configurable |
| Disableable |
Yes |
Yes |
| Restorable |
Reset to defaults at any time |
No (recreate if deleted) |
You can customize any built-in policy's thresholds, severity, actions, and exceptions without losing the ability to reset it to its defaults later.
Security Policies
Security policies detect configurations and conditions that create security risk in your environment.
Stale User Accounts
| Property |
Value |
| Description |
Detects active user accounts that have not logged in within the configured threshold |
| Default Threshold |
90 days of inactivity |
| Default Severity |
Medium |
| What It Detects |
Accounts where lastLogonTimestamp (or lastLogon, whichever is more recent) is older than the threshold, and the account is still enabled |
| Excludes |
Service accounts, gMSAs, MSAs (by default) |
| Recommended Remediation |
Send alert to the user's manager. If no response within 14 days, disable the account. |
Stale Computer Accounts
| Property |
Value |
| Description |
Detects active computer accounts that have not authenticated within the configured threshold |
| Default Threshold |
90 days of inactivity |
| Default Severity |
Medium |
| What It Detects |
Computer objects where lastLogonTimestamp is older than the threshold and the account is still enabled |
| Excludes |
None by default |
| Recommended Remediation |
Disable the computer account after confirming it is not a rarely-used server or DR system. |
Password Never Expires
| Property |
Value |
| Description |
Detects accounts with the DONT_EXPIRE_PASSWORD User Account Control flag set |
| Default Severity |
High |
| What It Detects |
User accounts where the userAccountControl attribute includes the DONT_EXPIRE_PASSWORD flag (0x10000) |
| Excludes |
gMSAs and MSAs (which manage their own passwords) |
| Recommended Remediation |
Remove the flag and require regular password changes. For service accounts, migrate to gMSAs where possible. |
Unconstrained Delegation
| Property |
Value |
| Description |
Detects accounts trusted for Kerberos unconstrained delegation |
| Default Severity |
Critical |
| What It Detects |
Accounts where userAccountControl includes the TRUSTED_FOR_DELEGATION flag (0x80000) |
| Excludes |
Domain Controllers (which require delegation by design) |
| Recommended Remediation |
Migrate to constrained delegation or resource-based constrained delegation. Unconstrained delegation allows the account to impersonate any user to any service. |
Security Note: Unconstrained delegation is one of the most dangerous AD misconfigurations. An attacker who compromises an account with unconstrained delegation can extract TGTs from memory and impersonate any user, including Domain Admins.
Reversible Encryption
| Property |
Value |
| Description |
Detects accounts storing passwords with reversible encryption |
| Default Severity |
High |
| What It Detects |
Accounts where userAccountControl includes the ENCRYPTED_TEXT_PWD_ALLOWED flag (0x0080) |
| Excludes |
None |
| Recommended Remediation |
Remove the flag and require the user to change their password. Reversible encryption stores passwords in a format that can be decrypted, equivalent to storing them in plaintext. |
Orphaned Admin Accounts
| Property |
Value |
| Description |
Detects privileged accounts that belong to users who have left the organization or have no valid manager |
| Default Severity |
Critical |
| What It Detects |
Accounts that are members of privileged groups (Domain Admins, Enterprise Admins, Schema Admins, Administrators) and have no manager assigned, or whose manager's account is disabled |
| Excludes |
Built-in Administrator account |
| Recommended Remediation |
Immediately disable the orphaned admin account. Investigate whether unauthorized access occurred. |
Excessive Group Membership
| Property |
Value |
| Description |
Detects users who belong to an unusually high number of groups |
| Default Threshold |
More than 15 direct group memberships |
| Default Severity |
Medium |
| What It Detects |
User accounts with a direct group membership count exceeding the threshold |
| Excludes |
Service accounts |
| Recommended Remediation |
Review group memberships and remove unnecessary access. Flag the user for the next access review campaign. |
Tip: A high group count often indicates accumulated access from role changes over time. This is sometimes called "privilege creep" and is a common finding in access reviews.
Compliance Policies
Compliance policies target conditions that may violate regulatory requirements or organizational governance standards.
Separation of Duties
| Property |
Value |
| Description |
Detects users who hold conflicting privileged group memberships |
| Default Severity |
High |
| What It Detects |
Users who are members of groups that are configured as conflicting pairs (e.g., AP-Requesters and AP-Approvers, or Finance and IT Admin) |
| Excludes |
None |
| Recommended Remediation |
Remove the user from one of the conflicting groups. If both are required, document the exception with a justification and time-bound approval. |
Privileged Group Size
| Property |
Value |
| Description |
Detects privileged groups with too many members |
| Default Threshold |
More than 5 members in highly privileged groups |
| Default Severity |
High |
| What It Detects |
Groups designated as privileged (Domain Admins, Enterprise Admins, Schema Admins) with a direct member count exceeding the threshold |
| Excludes |
None |
| Recommended Remediation |
Reduce group membership to the minimum required. Use just-in-time (JIT) access where possible rather than permanent privileged group membership. |
Unresolved Managers
| Property |
Value |
| Description |
Detects active accounts that have no valid manager assigned |
| Default Severity |
Medium |
| What It Detects |
Accounts where the manager attribute is null, empty, or points to a disabled/deleted account |
| Excludes |
Service accounts, gMSAs |
| Recommended Remediation |
Assign a valid manager. Accounts without managers cannot be included in manager-based access reviews. |
Stale Group Membership
| Property |
Value |
| Description |
Detects groups where a significant portion of members are inactive |
| Default Threshold |
More than 50% of members have not logged in within 90 days |
| Default Severity |
Medium |
| What It Detects |
Groups where the inactive member percentage (computed by GroupInsightData) exceeds the threshold |
| Excludes |
Distribution lists (which do not require logon activity) |
| Recommended Remediation |
Review group membership and remove inactive members. Consider whether the group itself is still needed. |
Governance Policies
Governance policies enforce organizational standards and directory hygiene.
Empty Groups
| Property |
Value |
| Description |
Detects groups with zero members |
| Default Severity |
Low |
| What It Detects |
Groups where the member attribute is empty (no direct members) |
| Excludes |
Built-in system groups |
| Recommended Remediation |
Delete the empty group if it is no longer needed, or populate it if it was recently created for a planned use. |
Nested Group Depth
| Property |
Value |
| Description |
Detects groups that are nested more than the recommended depth |
| Default Threshold |
More than 3 levels of nesting |
| Default Severity |
Low |
| What It Detects |
Groups where the nesting depth (computed by GroupInsightData) exceeds the threshold |
| Excludes |
None |
| Recommended Remediation |
Flatten the group structure. Deep nesting makes access difficult to audit and can cause unexpected permission inheritance. |
Missing Required Attributes
| Property |
Value |
| Description |
Detects accounts that are missing attributes considered required by organizational policy |
| Default Required Attributes |
mail (email), department, manager |
| Default Severity |
Low |
| What It Detects |
Active user accounts where one or more of the configured required attributes are null or empty |
| Excludes |
Service accounts, gMSAs, contacts |
| Recommended Remediation |
Update the account with the missing information. Missing email addresses prevent notification delivery. Missing departments prevent proper organizational reporting. |
Customizing Built-In Policies
Changing Thresholds
For any threshold-based policy:
- Navigate to Governance > Policies
- Click the policy name
- Click Edit
- Adjust the threshold value
- Save
For example, you can change the stale account threshold from 90 days to 60 days for a stricter policy.
Changing Severity
If a built-in policy's default severity does not match your organization's risk tolerance:
- Edit the policy
- Change the severity level (Critical, High, Medium, Low, Info)
- Save
Changing Actions
Each built-in policy can be configured with different remediation actions:
| Action |
Description |
| Log Only |
Record the violation without notification |
| Send Alert |
Email notification to designated recipients |
| Create Ticket |
Open a ServiceNow or Jira ticket |
| Disable Account |
Disable the account via AD write-back |
| Flag for Review |
Add to the next access review campaign |
| Remove from Group |
Remove the group membership via AD write-back |
| Force Password Reset |
Require the user to change their password at next logon |
Adding Exceptions
To exclude specific accounts or groups from a built-in policy:
- Edit the policy
- Navigate to the Exceptions section
- Add users, groups, or attribute-based rules
- Provide a justification
- Save
Disabling a Built-In Policy
If a policy is not relevant to your environment:
- Edit the policy
- Toggle Enabled to Off
- Save
Disabled policies do not evaluate or generate violations, but they remain in the list and can be re-enabled at any time.
Next Steps