Forum Discussion
Remove dormant accounts from sensitive groups
- Feb 29, 2024On the 15th of february 2024, the two accounts I had listed as affected by "Remove dormant accounts from sensitive groups" finally cleared, and the Secure Score was updated as "Completed"
I have not changed anything for months, so I presume this is a fix thats rolled out from MS?
Can anyone else confirm this?
trond_kristiansen I am not sure how long you've waited after removing the groups, but I think you're aware it takes time for Secure Score to update. if it's longer than 24 hours, check the permissions for the account and groups in Actie Directory.
The permissions "Replicating Directory Changes permission" makes it possible to replicate all hashes for the entire domain which means a malicious actor has all "passwords" for all accounts within the domain. The attack is called "DC Sync" and it acts as a Domain Controller and synchronizes all hashes and other interesting information. By default, only Domain Administrators has "Replicating Directory Changes permission" permissions, but I recon the account does have these permissions as well.
If you open "Active Directory User and Computers" on a Domain Controller within the forest, right-click the domain and select "properties". On the security tab, check the effective permissions for the user and find out if it's the user or group which has permissions to replicate directory changes.
For more information you can check the following learn page:
If you have any questions, please let me know.
- trond_kristiansenNov 06, 2023Copper Contributorthalpius, thank you for your response.
Unfortunatly, the users in question does not have has "Replicating Directory Changes permission" permissions on the domain, so i'm still a bit lost.
Could it be other attributes or permissions it triggers on?- thalpiusNov 06, 2023Brass Contributor
trond_kristiansen I think it can, but looking at the message, I was assuming it's "Replicating Directory Changes permission" permission.
You can use the following PowerShell cmdlet to be sure (change the domain and user to your environment):
Import-Module ActiveDirectory (Get-Acl "ad:\dc=domain,dc=local").Access | ? {$_.IdentityReference -match 'UserName' -and ($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or$_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" ) }
This contains the following control access right:
- DS-Replication-Get-Changes-All
- DS-Replication-Get-Changes
- DS-Replication-Get-Changes-In-Filtered-Set
- trond_kristiansenNov 08, 2023Copper Contributorthalpius! Thank you for helping out on this.
Still no luck. I did run Get-Acl as you suggested, but it does not show anything. I then tried an account i know has the Replicating Directory Changes permission, and the result was as it should.
So it must be something else it triggers on,.
I also assumed it had to do with "Replicating Directory Changes permission" 🙂 But i'm a bit out of suggestions..