Avatar of Pau Lo
Pau Lo
 asked on

high risk AD groups.

Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
SecurityWindows OSActive DirectoryWindows 10Azure

Avatar of undefined
Last Comment
Shabarinath TR

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Adam Leinss

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Shabarinath TR

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
kevinhsieh

I would add Account Operators to the list.
Lee W, MVP

I would add your own custom groups.  For example, I create a Workstation Admins group for IT support.
Pau Lo

ASKER
thank you, re:
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.

How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
Your help has saved me hundreds of hours of internet surfing.
fblack61
Shabarinath TR

Hello,

You need to relay on ACL scripts.
Here is one which you can give a try.

https://securityonline.info/ad-acl-scanner/ 

Cheers !
Shaba