Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

high risk AD groups.

Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
ASKER CERTIFIED SOLUTION
Avatar of Adam Leinss
Adam Leinss
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I would add Account Operators to the list.
I would add your own custom groups.  For example, I create a Workstation Admins group for IT support.
Avatar of Pau Lo
Pau Lo

ASKER

thank you, re:
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.

How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
Hello,

You need to relay on ACL scripts.
Here is one which you can give a try.

https://securityonline.info/ad-acl-scanner/ 

Cheers !
Shaba