Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators

Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators
Ever been in an internal security assessment or penetration test, and need to list all domain admins? First of all, why would you need to do that? All to often, you'll find that way too many people have domain admins - you know, "just in case" People like: developers - who needed local admin on that one server, that one time, but we gave them domain admin and then forgot or developers, because don't all devs need domain admin? IT VP's and dev managers, because they used to be admins the CEO, because they insisted Steve, because Steve needed to update the timezone or install a printer at home, and the helpdesk mistakenly gave Steve domain admin rights for that You get the idea. So, aside from the people that are actual members of "Domain Admins", there are lots of groups that have elevated privileges in a domain, so we'll need to enumerate all of those too. And you can put groups into groups, so we'll have to recurse through that mess to get the full list of users. This can take quite a while in the GUI, but it's only a few lines of code in PowerShell: `$DomainAdmins = @() $a = $() 'Domain Admins', 'Administrators', 'Enterprise Admins', 'Schema Admins', 'Server Operators', 'Backup Operators' \| ForEach-Object { $groupName = $_ $a = Get-ADGroupMember -Identity $_ -Recursive \| Get-ADUser \| Select-Object Name, samaccountname, @{n='GroupName';e={ $groupName }} $DomainAdmins += $a } $DomainAdmins \| export-csv alldomainadmins.csv` This will list all the Admin users, and the group membership that put them there. So you might find the same person on this list a few times (but that's a good thing in most cases). If you just want the de-dup'd list of unique userids (without how they got there), add this snip to your code: `$uniqadmins = ($DomainAdmins \| select SamAccountName,name ) \| Sort-Object -Property samaccountname -Unique $pctdomadmins = ($uniqadmins.count / (Get-ADUser -filter * ).count) *100 write-host $pctdomadmins "percent of domain users have domain admin rights" $uniqadmins \| export-csv uniqadmins.csv` When you run this against your domain, what is your percentage? Did you find any surprises? Please, use our comment form and let us know!	Rob VandenBrink 497 Posts ISC Handler
Subscribe	Apr 25th 2019 1 month ago
A few years ago I wrote a script that checks various groups for membership changes. It uses the AD DS Tools (part of RSAT) feature. The basic command is: dsquery group -name "Domain Admins" \| dsget group -members -expand The output is a list of Distingished Names suitable for additional processing if desired. Elevated privilege are not required.	Anonymous
Quote	Apr 25th 2019 1 month ago