Pau Lo
asked on
high risk AD groups.
Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would add Account Operators to the list.
I would add your own custom groups. For example, I create a Workstation Admins group for IT support.
ASKER
thank you, re:
How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.
How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
Hello,
You need to relay on ACL scripts.
Here is one which you can give a try.
https://securityonline.info/ad-acl-scanner/
Cheers !
Shaba
You need to relay on ACL scripts.
Here is one which you can give a try.
https://securityonline.info/ad-acl-scanner/
Cheers !
Shaba