Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators
Ever been in an internal security assessment or penetration test, and need to list all domain admins?
First of all, why would you need to do that? All to often, you'll find that way too many people have domain admins - you know, "just in case"
People like:
- developers - who needed local admin on that one server, that one time, but we gave them domain admin and then forgot
- or developers, because don't all devs need domain admin?
- IT VP's and dev managers, because they used to be admins
- the CEO, because they insisted
- Steve, because Steve needed to update the timezone or install a printer at home, and the helpdesk mistakenly gave Steve domain admin rights for that
You get the idea.
So, aside from the people that are actual members of "Domain Admins", there are lots of groups that have elevated privileges in a domain, so we'll need to enumerate all of those too. And you can put groups into groups, so we'll have to recurse through that mess to get the full list of users. This can take quite a while in the GUI, but it's only a few lines of code in PowerShell:
$DomainAdmins = @()
$a = $()
'Domain Admins', 'Administrators', 'Enterprise Admins', 'Schema Admins', 'Server Operators', 'Backup Operators' | ForEach-Object {
$groupName = $_
$a = Get-ADGroupMember -Identity $_ -Recursive | Get-ADUser | Select-Object Name, samaccountname, @{n='GroupName';e={ $groupName }}
$DomainAdmins += $a
}
$DomainAdmins | export-csv alldomainadmins.csv
This will list all the Admin users, and the group membership that put them there. So you might find the same person on this list a few times (but that's a good thing in most cases).
If you just want the de-dup'd list of unique userids (without how they got there), add this snip to your code:
$uniqadmins = ($DomainAdmins | select SamAccountName,name ) | Sort-Object -Property samaccountname -Unique
$pctdomadmins = ($uniqadmins.count / (Get-ADUser -filter * ).count) *100
write-host $pctdomadmins "percent of domain users have domain admin rights"
$uniqadmins | export-csv uniqadmins.csv
When you run this against your domain, what is your percentage? Did you find any surprises? Please, use our comment form and let us know!
Finding Local Administrators on a Domain Member Stations
Now that we've got a list of domain admins ( https://isc.sans.edu/forums/diary/Where+have+all+the+Domain+Admins+gone+Rooting+out+Unwanted+Domain+Administrators/24874 ), lets find all the accounts that have local Administrator rights.
Local Admin used to be a common thing, back in the early XP days when Windows Security was new. It was common back then to see everyone's AD account have local admin on their own machine, so that they could do things like update the clock, install printer drivers, or install games when they took their laptop home.
Sound familiar? Well, those days are gone (or they should be). In 99% of cases, you absolutely, positively do NOT need local admin for anything on a domain member computer (especially if it's not a server) that's administered by IT staff. You might need an extra right here or there, but even then, it's very likely that you don't. Windows 10 and even Windows 7 both do a good job without giving folks admin rights. (We won't talk about that dark Windows 8 detour that nobody took, but W8 does just as good a job on this score)
What local admin does give you is rights that you shouldn't have, to perhaps install malware that might then access system files that nobody wants changed. And if you don't use LAPS, local admin on one station will likely give you local admin on ALL the stations, which from a malware point of view is as good as domain admin in lots of organizations.
So let's get on with it - to find local admins across the board, you'll want something that looks like this:
import-module ActiveDirectory function get-localadmin { $i = 1 |
Note that this code will grab everything, so when it hits the domain controllers it'll enumerate domain admins (which is the honest truth when you think about it). Note also that if a station is not on the network when you run this script, of course you won't be able to enumerate any user information from it.
Run this on your own domain, user our comment form let us know if you find anything unexpected!
===============
Rob VandenBrink
Compugen
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago