Managing privileged groups is one of the most important tasks of an Active Directory administrator. Privileged AD groups have a set of privileges that allow them to perform almost any action in Active Directory and domain-joined computers. Users, which are unauthorized or inadvertently added to a privileged group, can pose high risks to your AD infrastructure, leading to information leakage and compromise of sensitive resources.
A number of security groups are automatically created in the Users and Built-in containers when you install a new Active Directory domain. There are a number of privileged groups among them:
- Enterprise Admins
- Schema Admins
- Domain Admins
- Administrators
There are also a number of other pre-defined groups that allow you to perform specific domain-wide administrative tasks:
- Account Operators
- Server Operators
- Backup Operators
- Print Operators
- Cert Publishers
- DnsAdmins
You can use the Active Directory Users and Computers snap-in console (dsa.msc) to view the privileged users that have been added to these privileged groups in Active Directory.
For example, we need to get a list of privileged users with domain admin permissions. Find this group, open its properties, and go to the Members tab. You will see a list of users who have been added to this privileged group.
According to Microsoft’s best practice security guidelines, a minimum number of accounts should be added to the privileged groups. It is also recommended that you create separate accounts for performing domain administration tasks, rather than using regular user accounts that administrators use to perform everyday computing tasks on their computers.
For example, for the user Brian Jackson, you can create a separate account adm_jacksonb and add it to the Domain Admins group. This account should only be used to remotely connect to domain controllers and perform AD administration tasks.
Note. Using PSO and Fine-Grained Password Policy, it is recommended that you assign stricter password policies to privileged groups and users.
Because privileged AD groups can contain other nested groups, it is not always convenient to view their membership in the ADUC console. You can use the following PowerShell script to get a list of accounts that are added to certain privileged groups. We will use the Get-ADGroupMember cmdlet, which is part of the PowerShell Active Directory module, to get the membership of groups.
$priv_groups = 'Domain Admins','Enterprise Admins', 'Administrators'
$priv_accounts =@()
foreach ($group in $priv_groups)
{
$priv_accounts+= Get-ADGroupMember -Identity $group -Recursive | Select-Object distinguishedName, samaccountname, name, @{Label='Privileged Group Name';Expression={$group}}
}
$priv_accounts | Out-GridView
The script has returned a table with a list of privileged user accounts.
Note that all privileged groups have known SIDs/RIDs:
- Enterprise Admins — S-1-5-21-<root domain>-519
- Schema Admins — S-1-5-21-<root domain>-518
- Domain Admins — S-1-5-21-<domain>-512
- Administrators — S-1-5-32-544
You can obtain the SIDs of these groups in your domain and use them instead of the group names specified in the $priv_groups variable. You can still control the membership of privileged groups even if they are renamed.
In the version of an AD introduced in Windows Server 2016, you can use an additional Active Directory feature called “Active Directory Privileged Access Management”. It allows you to temporarily add a user to a privileged group.
Make sure your version of Active Directory forest is at least 2016:
(Get-ADForest).ForestMode
Check if this AD feature is enabled:
Get-ADOptionalFeature -filter "name -eq 'privileged access management feature'"
To temporarily add a user to a privileged group, run:
$User="j.brion" $Group="DNSAdmins" $ttl = New-TimeSpan -Minutes 5 Add-ADGroupMember -Identity $Group -Members $User -MemberTimeToLive $ttl
The user can perform their administrative task and is automatically removed from DNSAdmins after 5 minutes.
