Forum Discussion

Lise Quinn's avatar
Lise Quinn
Copper Contributor
Nov 21, 2023

Basic question regarding using powershell to determine who has Domain admin privledges

I know this must be very basic, but I am weak in my powershell skills.  I have a domain that I inherited that may have people with domain admin privileges that were assigned to their account as appo...
Windows PowerShell
Windows Server
LainRobertson's avatar
LainRobertson
Silver Contributor
Nov 21, 2023

Lise Quinn 

 

Hi, Lise.

 

That command is fine for such a basic requirement.

 

At a technical level, it's clunky simply because there's a lot of double- and triple-handling under the hood, but that only matters when you're dealing with a large number of objects, which you won't be for this scenario.

 

There's at least two other groups you should also audit:

 

  • Administrators;
  • Enterprise Admins.

 

I would also argue it's important to audit the following group, as while it might look less important to the uninitiated, it's analogous to an iceberg:

 

  • Schema Admins.

 

Lastly, I would prefer to use the userPrincipalName or even sAMAccountName (I avoid this where possible in this cloud era) ahead of "Name", as "Name" is not required to be unique across Active Directory, whereas the former two attributes are.

 

This would change your script subtly to:

 

Get-ADGroupMember -Server "your-domain" -Identity "Domain Admins" -Recursive | Get-ADUser | Select userPrincipalName, Enabled

 

Note: If you choose to use userPrincipalName, be aware that the built-in Administrator user does not have a value for userPrincipalName by default (since it's not mandatory), as per my example below. This isn't important, but I figured I'd mention it anyway.

 

It'd be highly unusual for your actual users to not have a userPrincipalName though.

 

 

 

Cheers,

Lain

Resources