Forum Discussion
Basic question regarding using powershell to determine who has Domain admin privledges
Hi, Lise.
That command is fine for such a basic requirement.
At a technical level, it's clunky simply because there's a lot of double- and triple-handling under the hood, but that only matters when you're dealing with a large number of objects, which you won't be for this scenario.
There's at least two other groups you should also audit:
- Administrators;
- Enterprise Admins.
I would also argue it's important to audit the following group, as while it might look less important to the uninitiated, it's analogous to an iceberg:
- Schema Admins.
Lastly, I would prefer to use the userPrincipalName or even sAMAccountName (I avoid this where possible in this cloud era) ahead of "Name", as "Name" is not required to be unique across Active Directory, whereas the former two attributes are.
This would change your script subtly to:
Get-ADGroupMember -Server "your-domain" -Identity "Domain Admins" -Recursive | Get-ADUser | Select userPrincipalName, Enabled
Note: If you choose to use userPrincipalName, be aware that the built-in Administrator user does not have a value for userPrincipalName by default (since it's not mandatory), as per my example below. This isn't important, but I figured I'd mention it anyway.
It'd be highly unusual for your actual users to not have a userPrincipalName though.
Cheers,
Lain