Forum Discussion

Scott_AZ's avatar
Scott_AZ
Copper Contributor
Sep 01, 2023

Get Privileged User Accounts and then associate those names to their AD Groups.... ???

Hello,

I have a Windows 2016 Domain and, for an audit, I need to display users who have elevated permissions and the group(s) they belong to.  This includes service accounts.

This is getting close but doesn't enumerate the users groups:

  Get-ADObject -LDAPFilter “(adminCount=1)”

This works for finding the users group members but will take me a LONG time of cut-n-paste of the group memberships I'm afraid:   Get-ADPrincipalGroupMembership

 

If anyone could help me with a formula I would be really thankful...

 

Scott in AZ

 

 

  • LainRobertson's avatar
    LainRobertson
    Silver Contributor

    Scott_AZ 

     

    Hi, Scott.

     

    Using "adminCount = 1" is unreliable since the SDProp process sets this value when someone is added to a privileged group (directly or indirectly) but it does not clear it again if the person is later removed.

     

    Using adminCount will only result in your audit becoming less trustworthy over time.

     

    The only way to accurately perform this kind of audit is to enumerate the transitive memberships of the groups you're interested in, and after that do other follow-on tasks such as looking up the users and their group memberships.

     

    Cheers,

    Lain

    • Scott_AZ's avatar
      Scott_AZ
      Copper Contributor

      Hi Lain,

      I actually don't have the Group Names.  I need to know elevated privilege accounts and then associate those users to groups....

      I'm not a Powershell expert so I am not sure what the string would look like. Would you be so kind as to let me know? Much appreciated your answer previously.

      Scott

Resources