The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to identify accounts with administrative privileges in Active Directory?


Posts: 2
Date: Jan 4, 2013
How to identify accounts with administrative privileges in Active Directory?

Hello Forum,

We have a requirement to be able to identify accounts with administrative privileges in Active Directory. We would like to know how to go about doing fulfilling this requirement.

I am happy to provide some background in case it helps -  

We have a medium sized Active Directory within which we varying levels of administrative access have been provisioned for various groups and individual users over time, primarily to facilitate decentralized administration of our OUs.

We recently had a situation wherein a junior level (delegated) admin may have escalated their privilege in one of the OUs to gain broader administrative powers within the AD, and then use these powers to grant certain temp IT staff full access to certain sensitive files on one of our file servers.

The situation has since been contained, but as a result, management has asked that we take measures to identify all accounts that have such administrative privileges in Active Directory, so that we can then analyze the access granted to these accounts and accordingly lock-down any access that is found to be excessive, so that such an incident does not happen again.

So we are tasked with, and are trying to identify all AD accounts that have administrative privileges in our Active Directory. The issue is that we've never done this before so we don't really know how to approach fulfilling this need.

We would be greatful for any advice we can get in this regard.

Thank you in advance.



We Support Our Troops.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me