Forum Discussion
trond_kristiansen
Nov 03, 2023Copper Contributor
Remove dormant accounts from sensitive groups
Hi! I'm having an issue with "remove dormant accounts from sensitive groups" in Secure Score. The sensors are installed on an old Active Directory domain, and i do not know the history of it...
- Feb 29, 2024On the 15th of february 2024, the two accounts I had listed as affected by "Remove dormant accounts from sensitive groups" finally cleared, and the Secure Score was updated as "Completed"
I have not changed anything for months, so I presume this is a fix thats rolled out from MS?
Can anyone else confirm this?
trond_kristiansen
Nov 09, 2023Copper Contributor
thalpiusI really appreciate your insight and effort on this matter. Sorry if i was a bit unclear in my problem description.
Your tips on how to find 'Replicating Directory Changes permission' was great. Especially the Get-Acl powershell code. Great blog about the sensitive groups too!
However, the users i'm struggeling with might have been in one of those groups at one time during the last 10-15 years. Most of these users have the 'adminCount' attribute set to '1', so i've tried clearing that attribute and enabled permission inheritance on the user objects, and one of those users actually disappeard from the list in Secure Score. But when checking that specific user in the defender portal, it's still marked as sensitive with the same message as from my original post.
So i'm still a bit confused as to why they are tagged as sensitve when they're not a member of any of the sensitive groups nor having any 'Replicating Directory Changes permission' on the domain.. 😐
Your tips on how to find 'Replicating Directory Changes permission' was great. Especially the Get-Acl powershell code. Great blog about the sensitive groups too!
However, the users i'm struggeling with might have been in one of those groups at one time during the last 10-15 years. Most of these users have the 'adminCount' attribute set to '1', so i've tried clearing that attribute and enabled permission inheritance on the user objects, and one of those users actually disappeard from the list in Secure Score. But when checking that specific user in the defender portal, it's still marked as sensitive with the same message as from my original post.
So i'm still a bit confused as to why they are tagged as sensitve when they're not a member of any of the sensitive groups nor having any 'Replicating Directory Changes permission' on the domain.. 😐
Jings
Nov 10, 2023Copper Contributor
I have the exact same problem with two accounts in our domain as well. The accounts used to be "Domain/Enterprise Admins", but have since been disabled, and all administrative access removed.
I've looked everywhere, and the accounts does not have the "Replicating Directory Changes permission" anywhere.
The powershell commands shows nothing for the two affected accounts, but shows (correctly) that a full Domain/Enterprise Admin has those rights.
Så either the Defender for Identity sensor, triggers on something else, or there is some bug in the detection routines.
I've had accounts previously, where I've removed administrative access, and the "Removed dormant accounts from sensitive groups" has cleared fine.
- JingsNov 10, 2023Copper ContributorDidn't see the tip about adminCount=1, the first time I replied. Both my problem accounts had this, so I've tried clearing it now, and hopefully that will fix my problem.