ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to identify domain accounts with admin privileges in Active Directory?


Newbie

Posts: 3
Date: Jan 3, 2013
How to identify domain accounts with admin privileges in Active Directory?
Permalink  
 


Hello Forum,

I also have a related question. I would like to know how to identify all domain accounts that have admin privileges in an Active Directory domain. For example, I am trying to find out which accounts, in addition to all members of the Domain Admins security group and the Enterprise Admins security group, might have admin privileges in our Active Directory.

We are preparing to conduct an Active Directory Delegation Audit for one of our clients, and this was one of the things that came up during our discussions with them, so thought of getting some inputs.

Thank you for your help.

Salim.



__________________


Member

Posts: 16
Date: Feb 12, 2013
RE: How to identify domain accounts with admin privileges in Active Directory?
Permalink  
 


Hello Salim,

I am not an expert, but I think you seem to be on the right track.

If I recall correctly, if you take into account all the members of the Domain Admins, Enterprise Admins, Builtin Admins, Server Operators, Accounts Operators, Print Operators and Backup Operators groups, you should what you're looking for.

Oh, one more thing. Be sure to enumerate all the members of these groups (i.e. including nested group members) and you should have what you need.

I'm not an expert, so perhaps someone else can share their thoughts.

Best wishes,

Chad.



__________________


Member

Posts: 8
Date: Apr 11, 2013
RE: How to identify domain accounts with admin privileges in Active Directory?
Permalink  
 


Salim,

In our experience we have found that this isn't as easy as it sounds, because in order to identify administrative accounts, you have to define what makes an account administrative in nature.

For instance, of course its a given that all members of default administrative groups are administrative in nature, by virtue of the powers they get since the default administrative groups have been granted sweeiping powers by default.

But what about an account that is not a member of any of these groups, but that can still do things which would be considered administrative in nature? For e.g. would you consider an account that can change the membership of the Domain Admins group to be an administrative account? (We do.)

The point is that its very difficult to try and identify administrative accounts based merely on group memberships, because theare could be accounts that on some object somewhere had administrative privileges via some semi-admin group that's not on your radar.

What we have done in our org is taken a slightly different approach - we have identified the tasks we deem to be administrative in nature (e.g. Who can change the membership of the Domain Admins group, Who can reset the passwords of our admin accounts, who can link a GPO to the Default Domain Controllers OU etc.) and proceeded to identify and document who can perform these tasks in our domains.

This way, we don't have to look at individual group memberships, but rather perform a capability based audit of sorts. My manager likes to think of it as an Active Directory Delegation Audit (on which there's a decent write-up here), but I think its a little more than that as it also captures the non-delegated admin grants as well.

I'm not sure if my input helps you, but I figured it was worth mentioning that this isn't super easy. If you have any questions about it, just PM me or ask, and I'll be happy to help.

Best wishes,

Richard. 



__________________

I would trade all my technology for an afternoon with Socrates - Steve Jobs

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me