The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to Audit Privileged Accounts and Groups in Active Directory?


Posts: 1
Date: Aug 5, 2013
How to Audit Privileged Accounts and Groups in Active Directory?

Hello Forum,

I have been tasked with conducting an independent audit of all privileged accounts and groups in Active Directory, and need some help figuring out how to "define" what constitutes a privileged account and group in a Active Directory environment.

By way of introduction, I am not an Active Directory admin. I am an IT auditor who is a part of the Corp Sec group, but the team I work for ultimately reports up to the CIO, as does our Core Infrastructure team that is responsible for managing our Active Directory, messaging (basically Exchange) and DNS deployments.

I have been handed down a request from upper management to perform an indepedent audit of all accounts and groups in our Active Directory that might be privileged in nature.

I believe that when initially requested, upper management was furnished a list by the IT director of the Directory Services group, but it only included a list of all members of the Domain Admins, Enterprise Admins and BuiltIn Admins security group, which was about xx individuals in all.

Management suspects that there may be more individuals who have privileged access in our AD, but who are not members of these default admin groups. They requested additional info from the AD team, but the team insists that these are the main groups to look at, and it seemed they were not very inclined to dig deeper. So I am tasked with determining what defines a "privileged" user/group in AD, then identifying all of them.

When I asked the AD team, they indicated that a recent whitepaper from Microsoft IT seemed to indicate that these groups are the main ones to look at. However, from my NT days, I remember groups like Account Operators and Server Operators, so I believe there might be other default admin groups as well, so not sure why Microsoft IT may be suggesting that it is sufficient to look as these groups. Anyways, I'm hoping ot figure it out, and this forum seems like a good place to get some good input from.

So my question is - What constitutes a privileged account/group in Active Directory?

I think once I know the answer to that, I can then proceed to audit the same and deliver my findings to upper management. As I continue my research, I look forward to any inputs I could get. I have 4 weeks to come up with this, so it is a bit time-sensitive. Thank you in advance for any assistance you could provide me with this.


Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me