Part of securing Active Directory is ensuring that the groups that have privileges have the correct members. Of course, obtaining the members of a group is not all that hard. What is difficult is to know which groups have elevated privileges, as well as obtaining the group membership iteratively. Below, I’ll show you how to easily get the listing of groups and how to analyze them.
First, let’s get a listing of the groups that have elevated privileges in your Active Directory domain. There will be three different groupings of these groups:
-
Default groups that have elevated privileges – Domain Admins, Enterprise Admins, Administrators, DNSAdmins, Group Policy Creator Owners, etc.
-
Groups installed with applications and services; for example, Exchange, Sharepoint, and SQL.
-
Groups created by the IT staff that are used to grant privileges over servers, management, etc.
Second, how do you get a listing of the group members of each of these groups down to the user level? You can manually do this using Active Directory Users and Computers; however, this would take a long time. You could try and use PowerShell, which is possible, just not all that pretty. My suggestion is to use ADManager Plus, which can get all group members down to the user with just a few clicks. Figure 1 shows that you can pick and choose all of your privileged groups.
Figure 1. Choosing privileged groups using ADManager Plus
You can see what the group membership report would show in Figure 2.
Figure 2. Group membership report using ADManager Plus
Now that you have all of your groups and the members recursively, you simply need to analyze if the membership is appropriate. You might need to ask the business owner of the group, of course, in order to finalize your analysis.