Forum Discussion

Copper Contributor

Sep 01, 2023

Get Privileged User Accounts and then associate those names to their AD Groups.... ???

Hello, I have a Windows 2016 Domain and, for an audit, I need to display users who have elevated permissions and the group(s) they belong to. This includes service accounts. This is getting close ...

Windows PowerShell

LainRobertson

Silver Contributor

Sep 02, 2023

Scott_AZ

Hi, Scott.

Using "adminCount = 1" is unreliable since the SDProp process sets this value when someone is added to a privileged group (directly or indirectly) but it does not clear it again if the person is later removed.

Using adminCount will only result in your audit becoming less trustworthy over time.

The only way to accurately perform this kind of audit is to enumerate the transitive memberships of the groups you're interested in, and after that do other follow-on tasks such as looking up the users and their group memberships.

Cheers,

Lain

Scott_AZ

Copper Contributor

Sep 02, 2023

Hi Lain,

I actually don't have the Group Names. I need to know elevated privilege accounts and then associate those users to groups....

I'm not a Powershell expert so I am not sure what the string would look like. Would you be so kind as to let me know? Much appreciated your answer previously.

Scott