Understanding & Mitigating BadSuccessor

BadSuccessor is a new Active Directory attack primitive that abuses Delegated Managed Service Accounts (dMSAs) when a Windows Server 2025 domain controller exists and a KDS Root Key has been generated; by setting msDS-ManagedAccountPrecededByLink and related attributes an attacker who can create or modify a dMSA can obtain a Kerberos TGT impersonating any account (including Domain Admin), enabling full forest compromise. The report explains the attack steps, root causes (KDC blind trust and AD DACL/ownership behaviors), provides layered mitigations (DACL deny ACEs, disabling implicit owner rights/dSHeuristics, LDAP Add restrictions, audit/detection guidance) and supplies PowerShell tooling and guidance for defenders.