Forum Discussion
Lise Quinn
Nov 21, 2023Copper Contributor
Basic question regarding using powershell to determine who has Domain admin privledges
I know this must be very basic, but I am weak in my powershell skills. I have a domain that I inherited that may have people with domain admin privileges that were assigned to their account as appo...
LainRobertson
Nov 21, 2023Silver Contributor
Hi, Lise.
That command is fine for such a basic requirement.
At a technical level, it's clunky simply because there's a lot of double- and triple-handling under the hood, but that only matters when you're dealing with a large number of objects, which you won't be for this scenario.
There's at least two other groups you should also audit:
- Administrators;
- Enterprise Admins.
I would also argue it's important to audit the following group, as while it might look less important to the uninitiated, it's analogous to an iceberg:
- Schema Admins.
Lastly, I would prefer to use the userPrincipalName or even sAMAccountName (I avoid this where possible in this cloud era) ahead of "Name", as "Name" is not required to be unique across Active Directory, whereas the former two attributes are.
This would change your script subtly to:
Get-ADGroupMember -Server "your-domain" -Identity "Domain Admins" -Recursive | Get-ADUser | Select userPrincipalName, Enabled
Note: If you choose to use userPrincipalName, be aware that the built-in Administrator user does not have a value for userPrincipalName by default (since it's not mandatory), as per my example below. This isn't important, but I figured I'd mention it anyway.
It'd be highly unusual for your actual users to not have a userPrincipalName though.
Cheers,
Lain