Securing Active Directory against exploitation by bad actors trying to leverage its privileges is a complex endeavor, made more difficult by the need to balance competing goals between endpoint administration and IT security teams. The complexity and depth of the directory system itself make it hard to find and fix the exposures and vulnerabilities that attackers seek to exploit. Clever attackers familiar with the directory system’s details can take any of the unique vulnerabilities or exposures and uncover an exponentially larger number of attack paths they can follow to get to their ultimate goal.