The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to find out who can reset Domain Admin passwords in our Active Directory?


Posts: 10
Date: Jun 1, 2012
How to find out who can reset Domain Admin passwords in our Active Directory?

Hello Forum,

It has been a long time since I dropped in. Things have been very busy for us, with a lot of added emphasis on security within the company.

We had a very interesting question come up internally, and I thought of putting it forward to you guys with the hope of getting an answer.

There's been some discussion around the threat stemming from Escalation of Privilege in Active Directory. I believe it involves some process by which insiders can systematically escalate their power from that of a regular user all the way to a Domain Administrator.

Upon giving it additional thought, it seemed that one of the ways in which someone could become a domain admin would be to reset the domain admin's passwords. 

So we started looking at all our Domain Admins, and then we started trying to find out who all can manage their accounts and reset their passwords.

We began by inspecting the ACLs on each of our Domain Admin accounts. At first, the process seemed pretty straightforward and we thought we could be done in a few hours, given how many accounts we had.

Then we realized that there were all these different kinds of permissions, some Deny others Allow, some Explicit others Inherited, some granting Full Control, others granting Special, etc. etc. and what seemed like a straight forward analysis turned out to be quite a headache and frankly very difficult to get right and finish.

We're at a point where we weren't able to analyze this correctly, and we're not quite sure how to go about doing this, so if anyone has any ideas, they would be quite welcome.

How serious is the threat of escalation of privilege in Active Directory anyway, and how does one go about finding out who can reset our Domain Admin's passwords?

Thanks for your help!



"There is the finest line between data and evidence" - Dale Adams


Posts: 3
Date: Jun 27, 2012
RE: How to find out who can reset Domain Admin passwords in our Active Directory?


The threat of an intruder or a malicious/disgruntled intruder or a coerced administrator taking advantage of the blanket read access in Active Directory to find and exploit excessive delegated access grants to elevate privilege and obtain Domain Admin like privilege is a very real threat today.

Its is real because more and more folks are starting to realize that Active Directory is the real nerve-center of administrative power in the organization, and that all the permissions that protect all the content stored in it is available to all users to access, analyze and understand.

One of the downsides of all the outsourcing that is going on, is that people in countries like China, Russia, Romania and the like are also starting to becoming very familiar with Active Directory, its management and its security. Consequently, the likelihood of an increased number of attacks on Active  Directory seems high. 

In light of this, and the fact that security privilege escalation in Active Directory is one of the easiest ways to compromise enterprise-wide security, these threats are increasingly becoming very real.

This is worth taking seriously, because Active Directory is the very foundation, and its compromise could have serious consequences.




Posts: 17
Date: Jun 29, 2012
RE: How to find out who can reset Domain Admin passwords in our Active Directory?


As easy as it sounds, trying to find out who can reset Domain Admin passwords, or for that matter, even an non-administrative user's password in Active Directory is actually a very difficult challenge.

It sounds very easy because you think, well, its just a matter of looking at security rights and seeing who has the Reset Password right. 

Then, when you start looking, you realize that there are so many permissions, so many rules, potentially conflicting permissions, access granted via nested groups, etc etc. and you just walk away with a headache.

The need to know who can reset whose passwords in Active Directory is very important, but how to find this out accurately is very difficult.


One misconfigured 00299570-246d-11d0-a768-00aa006e0529 is all I need.
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me