AD - Search Privileged Groups

mehdi dakhama 336 MVP

Hello everyone,

I'm working for a Script to AD hardening process, I want for the first step to list the ALL privileged groups, i used this command but i ask if the are a same other ways ? without of corse use name, perhaps same things with SID or other attributes

Get-ADUser -Filter "admincount -eq '1'" | Get-ADPrincipalGroupMembership | select name

Thanks,

Accepted answer

Gary Reynolds 9,391 Reputation points

2022-01-27T07:17:28.107+00:00
Hi @mehdi dakhama - starting a new answer as I ran out of characters!

Ok to summarize, you want to restrict the users, that can read properties of groups that provide elevated permissions in your AD environment. The list of groups goes beyond the groups that are current protected by the SDProp process.

I do need to make the official Microsoft statement here: The standard operating model for AD is to allow authenticated users to read the attributes of other AD objects. Changing the operating model to restrict what attributes that can be read by authenticated users, is outside the scope of the normal operating model for Active Directory and could impacts the operation of Active Directory or services that use AD for authenticate or applications that use AD (i.e. Exchange). It could also impact future updates or patches that rely on this functionality. Changes to the standard operating model may also result in issues get support from Microsoft.

There are two approach to deliver the required restriction:

Add an explicit deny permissions to prevent users from see the attributes of the selected groups

Changing default permissions for existing and new user and group objects

The simplest approach is to use the explicit deny method on objects that you don't want users to read, and then assign this right to a group that contains users you want to block from reading the attributes of the group. However this approach will require on going maintenance to ensure new users are added to the deny group.

The more complicated approach, with the higher risk of breaking functionality is change the default permissions, however, this has the highest risk of breaking functionality and will be very hard to remove or reverse once implemented, I don't recommend this approach.

The recommendation is to use option 1 and assign an explicit deny permission.

If you do want to continue with changing the access permissions, I would suggest that you test it in a test environment, before implementing any changes in your production environment.

Deny Permissions Approach

If you assign an explicit deny permission to the groups, in this case the group is called test-group1, this will prevent the user from reading the group details. in this example the permission is applied to a specific user, but you would assign the permission to a group and then add the users you want to restrict.

With this permission in place the user is not able to see the attributes of the groups

And if the restricted user views the properties of a user that is a member of the group, their membership of the group is not displayed:

Where a user that is not restricted can see the group membership of the restricted group

This is simplest to implement for the specific groups but is also the simplest to remove if it's found to causes issues at a later date. You would need to add this permission to the AdminSDHolder container so the SDprop process will apply it the protected groups, and also directly to the groups that are not protected by the SDProp process. You just need to create a new group that will be used to assign the permission. I would not recommend using any the default groups like domain users or authenticated users as these groups include every user and will result in loss of access to all users.

You then just need to add an additional step to the user provisioning process to add new users to the deny group. I would also have some sort of schedule task to add missing users back into the restriction group.

Gary.
Please sign in to rate this answer.
mehdi dakhama 336 Reputation points MVP

2022-01-27T23:44:29.357+00:00

Thanks you @Gary Reynolds for your reponse i appreciad your participation,
you have exactely resume what i want to do, my script is progressing well, everythings work fine, only the specific groupe will be denied to same permission in the privileged groups, of corse i exclude the domain user and authentified user.
For the privileged groups i changed the sdholder permii, and the sdprop change it, but i have a problem with KRBTGT account, it Ill be change automaticaly and it is normal, but my question it is sage to deny permission enumeration for a group contains a basic user ??.i tested it and i have detect any problems, the user get his tickets, can purge it can acces to shared file ??
I thinks that krbtgt is used more from DC and machine not from user !!!
Can same one confirme me this ?
Then i must find another way to do it, for example PLA TAsk, or turn script in bocle when sdprop event is created !!

Gary Reynolds 9,391 Reputation points

2022-01-28T20:51:20.25+00:00

The krbtgt account is used for the kerberos kdc service and is protected by the sdprop process, as long as you don't add the krbtgt account to the deny group you should be ok.

Gary.

mehdi dakhama 336 Reputation points MVP

2022-01-28T20:56:04.413+00:00

@Gary Reynolds but how can i do it ? i wont to add deny to admincount1, and i do it from 'SDholder' !!! then that automatically added to Krbtgt account !!
i read a lot of articles, and i thniks that only the machine account is necessary to read Krbtgt and also DC, in my test the users can get his tgt, purge it, get the groups of his users, access to share , print ... nad update gpo ?

Gary Reynolds 9,391 Reputation points

2022-01-31T05:47:16.373+00:00

As per the screenshot below of the permissions on the AdminSDHolder, you just need to add the deny full control permission, in this case the permission is assigned to the Deny_Group_Read group, this will be applied to all the Protected groups and users in scope for the SDProp process, including the krbtgt user account. This should work fine, but you need to make sure that you don't add the krbtgt account to the Deny_Read_Group, as this could impacts KDC and kerberos ticket allocation.

mehdi dakhama 336 Reputation points MVP

2022-01-31T14:46:30.553+00:00

thanks you @Gary Reynolds , i was test it, and this work fine.
i have another question : your tool list the old users that was be on privilege groups, and keep the admincount 1 like a disable users, i find thes a good point.
but what about the groups with admincount 1 but are not longer part of privilege groups, (i'm working on this, in my script, i can list it) other the groups with admincount1 and have no member or memberof on pvilege count

Gary Reynolds 9,391 Reputation points

2022-02-01T04:47:36.503+00:00

The groups are the same as users, that have been removed from protected groups, they become orphaned. Changes to the AdminSDholder permissions are not replicated to these orphaned objects, and also they don't received any inherited permissions changes from their parent OU\container. The only way to resolved this is remove the block inheritance from these orphaned objects and parent permissions will then be inherited by the objects. NetTools does provide an option to re-enable inheritance for orphaned objects. However, this could cause some inconsistency in the permissions assigned to objects that have been orphaned and ones that haven't, as the AdminSDholder process will remove the default permissions that were assigned when the object was created.

Gary.

mehdi dakhama 336 Reputation points MVP

2022-02-09T23:03:27.44+00:00

Hi @Gary Reynolds , i 'm created a tool that list all orphned objects, not replied by SDprop or do not must have an admincount value =1, i based on recursive research and also same meta, thet tool list gmsa also, and old admin or user no belongs to privileges groups.

i will share it as soon

mehdi dakhama 336 Reputation points MVP

2022-02-09T23:17:55.023+00:00

The Netools dont show these groups as disabled !! even if he show that not have an privilege groups as memebers, also he disent show the gmsa.

but i love Nettools
Sign in to comment

5 additional answers

Thameur-BOURBITA 32,586 Reputation points

2022-01-24T13:37:26.497+00:00
Hi,

You can launch this command to list all privileged groups with admincount = 1:

Get-ADGroup -Filter "admincount -eq '1'" | select Name Get-ADGroup -Filter "admincount -eq '1'" | select DistinguishedName

Please don't forget to mark helpful reply as answer
Please sign in to rate this answer.

1 person found this answer helpful.
mehdi dakhama 336 Reputation points MVP

2022-01-24T13:42:23.32+00:00

Hi Thameur,

the commands don't list the privilleged groups, only the users with privileges, my first command list the groups, but it is not complete, i'm trying by SID prefix perhaps

Thameur-BOURBITA 32,586 Reputation points

2022-01-24T14:01:47.297+00:00

Sorry Mehdi. I forgot to replace Get-ADuser by Get-ADgroup ;).

mehdi dakhama 336 Reputation points MVP

2022-01-24T14:05:17.127+00:00

Thanks,

i have also use these :

Get-ADGroup -Filter {AdminCOunt -eq 1} -Properties AdminCount| Sort-Object -Property Name | Select-Object -Property Name, SamAccountName, DistinguishedName

But i search for other groups in Bultin not listen, like replicate users or Administrators hyper-v, or backup there havent a value in admincount.

i think use the SID like here :
http://support.microsoft.com/kb/243330

Thameur-BOURBITA 32,586 Reputation points

2022-01-24T14:10:58.79+00:00

the commands don't list the privilleged groups, only the users with privileges, my first command list the groups, but it is not complete, i'm trying by SID prefix perhaps

You should use Admincount to identify groups and users with high privileged.
SID is not a good approach , because in case when you create a group and you add it to privileged account , you can't detected it by SID.

Please don't forget to mark helpful reply as answer

mehdi dakhama 336 Reputation points MVP

2022-01-24T14:17:23.413+00:00

Yes i know, i'm looking to combine the three methods,

first : Get-Audser with Admincount
GEt-ADgroup with Admincount
and also search for the same groups not listings by SID, like Hyper-V administrators ...
Sign in to comment
Thameur-BOURBITA 32,586 Reputation points

2022-01-24T16:23:15.417+00:00
Hi,

**But i search for other groups in Bultin not listen, like replicate users or Administrators hyper-v, or backup there havent a value in admincount.

i think use the SID like here :
http://support.microsoft.com/kb/243330**

Regarding the builtin groups you can use the following command:

Get-ADGroup -filter * -Searchbase "CN=Builtin,DC=domainName,DC=lan" select ExpandProperty SamaccountName

Please don't forget to mark helpful reply as answer
Please sign in to rate this answer.
mehdi dakhama 336 Reputation points MVP

2022-01-24T22:15:45.82+00:00

I prefer use this command : without statique text and exclude Users and Guest groups

(Get-ADGroup -filter 'SID -ne "S-1-5-32-545" -and SID -ne "S-1-5-32-546"' -Searchbase (Get-ADObject -Filter 'name -eq "Builtin"').distinguishedname ).name
Sign in to comment
Gary Reynolds 9,391 Reputation points

2022-01-24T21:17:21.333+00:00

Hi @mehdi dakhama

For reference have a look at the SDProp option in NetTools, it provides a full list of the user and groups that are protected by the SDProp process, with the group nesting, showing why a user or group were protected. It will also show any objects that have been orphaned by the process.

Gary.
Please sign in to rate this answer.
mehdi dakhama 336 Reputation points MVP

2022-01-24T21:54:26.483+00:00

HI Gary,

Thanks you for reply, It 's great tool, and exactelly as i want to do, but the tool show the same groups, and dont show all the grous privileged.

i want to list all privileged groups and users to protect it from enumeration, but this tool that give me an idea.

Gary Reynolds 9,391 Reputation points

2022-01-25T01:27:56.493+00:00

Hi @mehdi dakhama

The tool will list all user and group objects that have the admincount set using the following query (&(|(objectclass=user)(objectclass=group))(admincount=*)(!admincount=0)). Do you have an example of user or group that is missed by this query?

A group may be displayed more than once, as with your administreur user above, as the user is a member of multiple groups that have admincount set, these are listed on separate lines.

In the case of user2 in the above screenshot, the user was once a member of a protected group, but has now been removed. This is classed as an orphaned user, as any permissions changes to the SDAdminHolder will not be replicated to this user object.

Can you explain what you mean by

i want to list all privileged groups and users to protect it from enumeration

Gary.

Gary Reynolds 9,391 Reputation points

2022-01-25T11:26:15.137+00:00

Hi,

Only the groups listed in this article and the nested members of these groups, are covered by the SDProp process, the other groups in the Built-in container are not protected and will not have admincount attribute set. While you can set the admincount attribute to 1 on these groups the SDProp process will not update the security descriptor of the objects. However, you could set the admincount attribute on the required groups to 1, then the LDAP query of (&(|(objectclass=user)(objectclass=group))(admincount=*)(!admincount=0)) would return the complete list of groups you want.

It is also possible to remove certain groups from the SDProp process by updating the dsHeuristics attribute character 16 (dwAdminSDExMask) as defined by MS-ADTS 3.1.1.6.1.4

Gary.

mehdi dakhama 336 Reputation points MVP

2022-01-26T21:24:13.12+00:00

Hi, thanks you for reply, this is the result of my script

mehdi dakhama 336 Reputation points MVP

2022-01-26T22:05:37.003+00:00

it is a great tool,
this is a wont that final result, disable enum for no privileged users, and groups, then i must add an important groups

mehdi dakhama 336 Reputation points MVP

2022-01-26T22:51:09.007+00:00

I also wanted to congratulate you for your tool, it's very great and hulpful i will talk about me on community.

for list the groups i use this command :

$Resultatfinal = @() $Resultatfinal += (Get-ADGroup -filter 'SID -ne "S-1-5-32-545" -and SID -ne "S-1-5-32-546"' -Searchbase (Get-ADObject -Filter 'name -eq "Builtin"').distinguishedname ).name (Get-ADGroup -Filter {AdminCOunt -eq 1}).Name | ForEach-Object { if ($Resultatfinal -notcontains $_) { $Resultatfinal += $_ } } Get-ADUser -Filter "admincount -eq '1'" | ForEach-Object { Get-ADPrincipalGroupMembership $_ | ? {$_.sid -notlike '*-513'} | ForEach-Object { if ($Resultatfinal -notcontains $_.name) { Write-Host $_.name $Resultatfinal += $_.name } } } $Resultatfinal | Out-GridView

mehdi dakhama 336 Reputation points MVP

2022-01-26T22:54:52.993+00:00

I have a question how to change the ACL for privileg Users or Groups, without change the AdminSDHolder, because the SDProp process, reset the original ACL.
Sign in to comment
Limitless Technology 39,376 Reputation points

2022-01-25T10:37:54.547+00:00

Hello Mehdidakhama

You can use the groups SID as referenced here:

Privileged Group Membership for the following groups:

- Enterprise Admins - SID: S-1-5-21root domain-519

- Schema Admins - SID: S-1-5-21root domain-518

- Domain Admins - SID: S-1-5-21domain-512

- Cert Publishers - SID: S-1-5-21domain-517

- Administrators - SID: S-1-5-32-544

- Account Operators - SID: S-1-5-32-548

- Server Operators - SID: S-1-5-32-549

- Backup Operators - SID: S-1-5-32-551

- Print Operators - SID: S-1-5-32-550

Reference: http://support.microsoft.com/kb/243330

--If the reply is helpful, please Upvote and Accept as answer--
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

AD - Search Privileged Groups

5 additional answers

Privileged Group Membership for the following groups:

- Enterprise Admins - SID: S-1-5-21root domain-519

- Schema Admins - SID: S-1-5-21root domain-518

- Domain Admins - SID: S-1-5-21domain-512

- Cert Publishers - SID: S-1-5-21domain-517

- Administrators - SID: S-1-5-32-544

- Account Operators - SID: S-1-5-32-548

- Server Operators - SID: S-1-5-32-549

- Backup Operators - SID: S-1-5-32-551

- Print Operators - SID: S-1-5-32-550