asked on
high risk AD groups.
Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
SecurityWindows OSActive DirectoryWindows 10Azure
Last Comment
Shabarinath TR
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
I would add Account Operators to the list.
I would add your own custom groups. For example, I create a Workstation Admins group for IT support.
ASKER
thank you, re:
How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.
How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
Hello,
You need to relay on ACL scripts.
Here is one which you can give a try.
https://securityonline.info/ad-acl-scanner/
Cheers !
Shaba
You need to relay on ACL scripts.
Here is one which you can give a try.
https://securityonline.info/ad-acl-scanner/
Cheers !
Shaba