We help IT Professionals succeed at work.

high risk AD groups.

Is there a hierarchy of perhaps the top 5 most powerful default groups in Active Directory. I see domain admins mentioned quite a lot but I wondered if there were others to concern about as we need to review memberships for the high privilege groups across the domain.
Comment
Watch Question

Systems Administrator
CERTIFIED EXPERT
Commented:
Enterprise Admins
Schema Admins
Administrators
Backup Operators
Server Operators

Local Administrator Groups on computers
Shabarinath RamadasanInfrastructure Architect
CERTIFIED EXPERT
Commented:
Hello,
These are the builtin groups which should be the starting point.
1) Domain Admins
2) Enterprise Admins
3) Schema Admins
4) Administrators
5) Backup Administrators
6) Server Administrators

These are the key groups which I will look first. Review the group membership and ensure that minimal users exists.
However, that doesn't mean that we are all good.

Still need to continue looking at other areas.

1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.
3) Stale account - Always look for stale accounts. Look for attributes like last logon timestamp, lasts password reset, password expired etc and keep the accounts disabled if found inactive for more than certain period.

There are many more like this !

Cheers.

kevinhsiehNetwork Engineer
CERTIFIED EXPERT

Commented:
I would add Account Operators to the list.
Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013

Commented:
I would add your own custom groups.  For example, I create a Workstation Admins group for IT support.

Author

Commented:
thank you, re:
1) Accounts who got delegated rights to the root and one level down - Many times - administrators wrongly assign permissions which will come back as a risk
2) Re validating delegated access - Ideally, Access should be segregated using security groups. And each role should have a security group which has delegated rights to perform the minimal set of activities we want to delegate. Eg - Helpdesk team members needs access only to reset the password and unlock a user account. The shouldnt have any other rights.

How would you identify/validate such situations as the above. Are there any commands in powershell that could identify if that's been setup (rightly or wrongly).
Shabarinath RamadasanInfrastructure Architect
CERTIFIED EXPERT

Commented:
Hello,

You need to relay on ACL scripts.
Here is one which you can give a try.

https://securityonline.info/ad-acl-scanner/ 

Cheers !
Shaba