Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators

Published: 2019-04-24. Last Updated: 2019-04-25 12:47:55 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Ever been in an internal security assessment or penetration test, and need to list all domain admins?
First of all, why would you need to do that?  All to often, you'll find that way too many people have domain admins - you know, "just in case"
People like:

  • developers - who needed local admin on that one server, that one time, but we gave them domain admin and then forgot
  • or developers, because don't all devs need domain admin?
  • IT VP's and dev managers, because they used to be admins
  • the CEO, because they insisted
  • Steve, because Steve needed to update the timezone or install a printer at home, and the helpdesk mistakenly gave Steve domain admin rights for that

You get the idea.

So, aside from the people that are actual members of "Domain Admins", there are lots of groups that have elevated privileges in a domain, so we'll need to enumerate all of those too.  And you can put groups into groups, so we'll have to recurse through that mess to get the full list of users.  This can take quite a while in the GUI, but it's only a few lines of code in PowerShell:

$DomainAdmins = @()
$a = $()
'Domain Admins', 'Administrators', 'Enterprise Admins', 'Schema Admins', 'Server Operators', 'Backup Operators' | ForEach-Object {
    $groupName = $_
    $a = Get-ADGroupMember -Identity $_ -Recursive | Get-ADUser | Select-Object Name, samaccountname, @{n='GroupName';e={ $groupName }}
    $DomainAdmins += $a
}
$DomainAdmins | export-csv alldomainadmins.csv

This will list all the Admin users, and the group membership that put them there.  So you might find the same person on this list a few times (but that's a good thing in most cases).

If you just want the de-dup'd list of unique userids (without how they got there), add this snip to your code:

$uniqadmins = ($DomainAdmins | select SamAccountName,name )  | Sort-Object -Property samaccountname -Unique
$pctdomadmins = ($uniqadmins.count / (Get-ADUser -filter * ).count) *100
write-host $pctdomadmins "percent of domain users have domain admin rights"
$uniqadmins | export-csv uniqadmins.csv

When you run this against your domain, what is your percentage?  Did you find any surprises?  Please, use our comment form and let us know!

1 comment(s)

Finding Local Administrators on a Domain Member Stations

Published: 2019-04-24. Last Updated: 2019-04-24 11:48:34 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

Now that we've got a list of domain admins ( https://isc.sans.edu/forums/diary/Where+have+all+the+Domain+Admins+gone+Rooting+out+Unwanted+Domain+Administrators/24874 ), lets find all the accounts that have local Administrator rights.
Local Admin used to be a common thing, back in the early XP days when Windows Security was new.  It was common back then to see everyone's AD account have local admin on their own machine, so that they could do things like update the clock, install printer drivers, or install games when they took their laptop home.

Sound familiar?  Well, those days are gone (or they should be).  In 99% of cases, you absolutely, positively do NOT need local admin for anything on a domain member computer (especially if it's not a server) that's administered by IT staff.  You might need an extra right here or there, but even then, it's very likely that you don't.  Windows 10 and even Windows 7 both do a good job without giving folks admin rights.  (We won't talk about that dark Windows 8 detour that nobody took, but W8 does just as good a job on this score)

What local admin does give you is rights that you shouldn't have, to perhaps install malware that might then access system files that nobody wants changed.  And if you don't use LAPS, local admin on one station will likely give you local admin on ALL the stations, which from a malware point of view is as good as domain admin in lots of organizations.

So let's get on with it - to find local admins across the board, you'll want something that looks like this:

import-module ActiveDirectory

function get-localadmin {
  param ($strcomputer)
  $admins = Gwmi win32_groupuser –computer $strcomputer  
  $admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}
  $admins |% {
    $_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$” > $nul
    $matches[1].trim('"') + “\” + $matches[2].trim('"')
  }
}

$i = 1
$localadmins = @()
$targets = Get-ADComputer -Filter * -Property DNSHostName
foreach ($targethost in $targets) {
  write-host "Testing" $targethost.DNSHostName "," $i "hosts completed"
  if (Test-Connection -ComputerName $targethost.DNSHostName -count 2 -Quiet) {
    $admins = get-localadmin $targethost.DNSHostName
    foreach ($a in $admins) {
      $val = new-object psobject
      $val | add-member -membertype NoteProperty -name Hostname -value $targethost.name
      $val | add-member -membertype NoteProperty -name AdminID -value $a
      $localadmins += $val
      }
  ++$i
  }
}
$localadmins | export-csv -append localadminusers.csv

Note that this code will grab everything, so when it hits the domain controllers it'll enumerate domain admins (which is the honest truth when you think about it).  Note also that if a station is not on the network when you run this script, of course you won't be able to enumerate any user information from it.

Run this on your own domain, user our comment form let us know if you find anything unexpected!

===============
Rob VandenBrink
Compugen

Keywords:
1 comment(s)
ISC Stormcast For Wednesday, April 24th 2019 https://isc.sans.edu/podcastdetail.html?id=6468

Comments


Diary Archives