[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 367
  • Last Modified:

Finding all administrators in a domain/ OU

I have a requirement to find and justify all domain administrators / users with domain administrative permissions in my three domains to SOX auditors.  I must be able to prove that there are no other administrative priveleged accounts that have access to my financial data other than the ones that I document.  Is there an easy way to accomplish this?

Using Windows 2003 Server
3 Solutions
You have to start with the folders where the data is stored.  You can look at the NTFS security on the folder then look at the group membership for the groups that have Read/Write or Admin privledges.

There are Resource Kit tools to dump the ACL's on the folder and one to show membership of groups you find.

rosenblummAuthor Commented:
Perhaps you're not understanding the question.  Folder permissions will only show users who have permissions to a folder.  I need to have users who are domain admins.  Domain admins by default will have "Full Control" in NTFS unless they are specifically removed.  However, that doesn't find all administrators, just domain admins.  

Many service accounts and other specific accounts must have administrative rights to all domain computers to function correctly (SMS, ePO, backup software, etc).  I need to be able to show the auditors a AD generated list.  I could make a list myself ( I do know all of my admin accounts), but that would defeat the purpose of the audit, as I could easily modify any data I wanted to.

If you know of a resource kit tool that will accomplish this, please let me know.

Thank you,
That's correct - but Domain Admins will show up in the ACLs on that specific folder as being inherited.  You can specifically add Deny to Read rights to prevent them from accessing the folder.

Every ACL on the folder will reflect what groups have access - you cannot hide that fact - they will be present on the Security tab of the folder.

Showacls.exe will show all permissions on whatever you specify.
There was a Group tool, but I can't seem to find it.  DSQUERY will work.

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Hi Michael

So do you just want to do a dump of all accounts in the domain that are a member of the Domain Admins group?  Its easily achievalbe via scripting, but will this fit the requirements of the audit?  If so, let me know, and I'll write it up for you.  Something aong the lines of recursively going thro0ugh your AD structure, and listing all user accounts that are members of the administrator groups, such as schema admins, enterprise admins, and so  on.  

Have a look at this document for common SIDs you may want to query on:  http://support.microsoft.com/kb/243330

rosenblummAuthor Commented:
How about an LDAP query looking for SIDs with all admins in it.  I'm horrible at scripting, but I'll see if I can get that to work.  
Simplest way would be a dsquery dsget...

make a batch file with the following:

dsquery group -name "domain admins" | dsget group -members -expand >> c:\AdminsOnDomainA.txt
dsquery group -name "administrators" | dsget group -members -expand >> c:\AdminsOnDomainA.txt
dsquery group -name "Enterprise Admins" | dsget group -members -expand >> c:\AdminsOnDomainA.txt

That would basically give you all the real admin accounts on the domainA and throw them into the text file.

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now