- Printers and Scanners
- Windows Server 2012
- Active Directory
high risk AD groups.
Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
Enterprise Admins
Schema Admins
Administrators
Backup Operators
Server Operators
Local Administrator Groups on computers
Schema Admins
Administrators
Backup Operators
Server Operators
Local Administrator Groups on computers
Hello,
These are the builtin groups which should be the starting point.
1) Domain Admins
2) Enterprise Admins
3) Schema Admins
4) Administrators
5) Backup Administrators
6) Server Administrators
These are the key groups which I will look first. Review the group membership and ensure that minimal users exists.
However, that doesn't mean that we are all good.
Still need to continue looking at other areas.
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.
3) Stale account - Always look for stale accounts. Look for attributes like last logon timestamp, lasts password reset, password expired etc and keep the accounts disabled if found inactive for more than certain period.
There are many more like this !
Cheers.
These are the builtin groups which should be the starting point.
1) Domain Admins
2) Enterprise Admins
3) Schema Admins
4) Administrators
5) Backup Administrators
6) Server Administrators
These are the key groups which I will look first. Review the group membership and ensure that minimal users exists.
However, that doesn't mean that we are all good.
Still need to continue looking at other areas.
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.
3) Stale account - Always look for stale accounts. Look for attributes like last logon timestamp, lasts password reset, password expired etc and keep the accounts disabled if found inactive for more than certain period.
There are many more like this !
Cheers.
I would add your own custom groups. For example, I create a Workstation Admins group for IT support.
thank you, re:
How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.
How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
Hello,
You need to relay on ACL scripts.
Here is one which you can give a try.
https://securityonline.info/ad-acl-scanner/
Cheers !
Shaba
You need to relay on ACL scripts.
Here is one which you can give a try.
https://securityonline.info/ad-acl-scanner/
Cheers !
Shaba
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
Built in AD groups and user unable to manage printers server 2012 when assigning permissions. -
![]()
wrote an Article
![]()
Website Risk Assessment - Where Do You Start?
-
![]()
created a Video
![]()
[Webinar] Are Unknown Privileged Accounts Putting You At Risk?
-
Explore Cloud Class® ![]()
Monitoring and Operating a Private Cloud with System Center 2012 R2
Premium Content
You need an Expert Office subscription to comment.Start Free Trial