Skip to content

Privileged Group Membership Audit #28

Open
Open
Privileged Group Membership Audit#28
@Andrew-Stevic

Description

@Andrew-Stevic
Andrew-Stevic
opened on Dec 7, 2025

Description

Comprehensive audit of privileged group memberships in Active Directory, with focus on Domain Admins and other high-privilege groups.

Business Context

Excessive Domain Admin accounts are a top security risk:

  • Common attack target (credential theft, Pass-the-Hash)
  • Regulatory compliance issue (PCI-DSS, SOX, HIPAA)
  • Principle of least privilege violation
  • MSPs frequently find 10-50+ DAs when only 2-5 are needed

Checks to Implement

High-Priority Checks

  • Domain Admins count and full member list
  • Enterprise Admins count and member list
  • Schema Admins count and member list
  • Nested group memberships in privileged groups
  • Service accounts in Domain Admins
  • Inactive Domain Admin accounts (30/60/90 days)
  • User accounts in builtin\Administrators

Medium-Priority Checks

  • AdminSDHolder protected objects count
  • Accounts with SID History attribute
  • Delegated admin rights (non-standard groups with high privileges)
  • Recently added Domain Admins (last 30 days)
  • Domain Admins without MFA (if available)

Reporting

  • Total count with trend analysis capability
  • List all members with last logon date
  • Highlight service accounts (name patterns)
  • Flag inactive accounts
  • Show nested group paths (e.g., UserA → GroupB → Domain Admins)

PowerShell Queries Needed

# Get all Domain Admin members (including nested)
Get-ADGroupMember -Identity "Domain Admins" -Recursive

# Get last logon for each DA
Get-ADUser -Filter {memberof -RecursiveMatch "CN=Domain Admins,CN=Users,DC=domain,DC=com"} `
  -Properties LastLogonDate, Enabled, PasswordNeverExpires

# Find nested groups in Domain Admins
Get-ADGroupMember "Domain Admins" | Where-Object {$_.objectClass -eq "group"}

# AdminSDHolder protected objects
Get-ADObject -LDAPFilter "(adminCount=1)" -Properties adminCount

# SID History
Get-ADUser -Filter {SIDHistory -like "*"} -Properties SIDHistory

Risk Scoring

Critical findings:

  • More than 5 Domain Admins (score: 8/10)
  • Service accounts in Domain Admins (score: 9/10)
  • Inactive DA accounts (score: 9/10)
  • DA with password never expires (score: 10/10)

High findings:

  • More than 10 Domain Admins (score: 6/10)
  • Nested groups in privileged groups (score: 7/10)
  • No MFA on Domain Admins (score: 8/10)

Medium findings:

  • More than 3 Schema Admins (score: 5/10)
  • Recently added Domain Admins (score: 4/10)

Deliverables

  • PrivilegedGroupAuditCheck.cs class
  • PowerShell scripts for all group queries
  • Risk scoring logic for findings
  • Unit tests
  • Documentation of recommended thresholds

Best Practice Thresholds

Domain Admins:

  • Ideal: 2-3 (break-glass accounts)
  • Acceptable: 4-5
  • Warning: 6-10
  • Critical: 11+

Enterprise Admins:

  • Ideal: 0 (only for AD changes)
  • Acceptable: 1-2
  • Critical: 3+

Schema Admins:

  • Ideal: 0 (only for schema changes)
  • Acceptable: 1
  • Critical: 2+

References

  • Microsoft Tier 0 Asset Documentation
  • CIS Benchmark: AD Section
  • NIST 800-53: AC-6 (Least Privilege)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    v1.0 MVP Development

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions