Forum Discussion
Solved
Remove dormant accounts from sensitive groups
Hi! I'm having an issue with "remove dormant accounts from sensitive groups" in Secure Score. The sensors are installed on an old Active Directory domain, and i do not know the history of it...
- On the 15th of february 2024, the two accounts I had listed as affected by "Remove dormant accounts from sensitive groups" finally cleared, and the Secure Score was updated as "Completed"
I have not changed anything for months, so I presume this is a fix thats rolled out from MS?
Can anyone else confirm this?
thalpius, thank you for your response.
Unfortunatly, the users in question does not have has "Replicating Directory Changes permission" permissions on the domain, so i'm still a bit lost.
Could it be other attributes or permissions it triggers on?
Unfortunatly, the users in question does not have has "Replicating Directory Changes permission" permissions on the domain, so i'm still a bit lost.
Could it be other attributes or permissions it triggers on?
trond_kristiansen I think it can, but looking at the message, I was assuming it's "Replicating Directory Changes permission" permission.
You can use the following PowerShell cmdlet to be sure (change the domain and user to your environment):
Import-Module ActiveDirectory
(Get-Acl "ad:\dc=domain,dc=local").Access | ? {$_.IdentityReference -match 'UserName' -and ($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or$_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" ) }
This contains the following control access right:
- DS-Replication-Get-Changes-All
- DS-Replication-Get-Changes
- DS-Replication-Get-Changes-In-Filtered-Set
- thalpius! Thank you for helping out on this.
Still no luck. I did run Get-Acl as you suggested, but it does not show anything. I then tried an account i know has the Replicating Directory Changes permission, and the result was as it should.
So it must be something else it triggers on,.
I also assumed it had to do with "Replicating Directory Changes permission" 🙂 But i'm a bit out of suggestions..trond_kristiansen Aah ok. Didn't know you assumed about the permissions. Accounts become dormant if they are not used for a period of 180 days. There's a list of "sensitive groups" as well. I've created a blog post about this, maybe that helps:
https://thalpius.com/2023/07/11/microsoft-defender-for-identity-recommended-actions-remove-dormant-accounts-from-sensitive-groups/- thalpiusI really appreciate your insight and effort on this matter. Sorry if i was a bit unclear in my problem description.
Your tips on how to find 'Replicating Directory Changes permission' was great. Especially the Get-Acl powershell code. Great blog about the sensitive groups too!
However, the users i'm struggeling with might have been in one of those groups at one time during the last 10-15 years. Most of these users have the 'adminCount' attribute set to '1', so i've tried clearing that attribute and enabled permission inheritance on the user objects, and one of those users actually disappeard from the list in Secure Score. But when checking that specific user in the defender portal, it's still marked as sensitive with the same message as from my original post.
So i'm still a bit confused as to why they are tagged as sensitve when they're not a member of any of the sensitive groups nor having any 'Replicating Directory Changes permission' on the domain.. 😐