Ever been in an internal security assessment or penetration test, and need to list all domain admins?
First of all, why would you need to do that? All to often, you’ll find that way too many people have domain admins – you know, “just in case”
- developers – who needed local admin on that one server, that one time, but we gave them domain admin and then forgot
- or developers, because don’t all devs need domain admin?
- IT VP’s and dev managers, because they used to be admins
- the CEO, because they insisted
- Steve, because Steve needed to update the timezone or install a printer at home, and the helpdesk mistakenly gave Steve domain admin rights for that
You get the idea.
So, aside from the people that are actual members of “Domain Admins”, there are lots of groups that have elevated privileges in a domain, so we’ll need to enumerate all of those too. And you can put groups into groups, so we’ll have to recurse through that mess to get the full list of users. This can take quite a while in the GUI, but it’s only a few lines of code in PowerShell:
This will list all the Admin users, and the group membership that put them there. So you might find the same person on this list a few times (but that’s a good thing in most cases).
If you just want the de-dup’d list of unique userids (without how they got there), add this snip to your code:
When you run this against your domain, what is your percentage? Did you find any surprises? Please, use our comment form and let us know!
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Source: SANS Internet Storm Center
Where have all the Domain Admins gone? Rooting out Unwanted Domain Administrators, (Wed, Apr 24th)