Forum Discussion

RyanD79's avatar
RyanD79
Copper Contributor
Aug 09, 2022

Default Domain Controller Policy settings changed?

If anyone can provide some insight into how to address this potential group policy situation, I would really appreciate it. I was using Policy Analyzer to compare the Default Domain Controller Policy...
Active Directory
security
windows server
RyanD79's avatar
RyanD79
Copper Contributor
Aug 10, 2022

Thanks for the feedback. I believe both responses have help lead me to my answer.  If anyone read this in the future hopefully the information below will help them if they encounter a similar situation.

Capability SID’s were a new one for me as I’d never heard of them before. Researching them lead me to the page below that stated, “All Capability SIDs are prefixed by S-1-15-3. This was not the case as my SIDs began with S-1-5-82 or S-1-5-80. I should have listed the SIDs in my original post for more clarity.

 

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers

 

Below is the list of SIDs that were show in my default domain controller policy and the services/application pools that they are associate with.

 

S-1-5-82-271721585-897601226-2024613209-625570482-296978595 - .NETv4.5

S-1-5-82-3876422241-1344743610-1729199087-774402673-2621913236  - .Netv4.5 Classic

S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415 – APS.NET (IIS APPOOL\DefaultAppPool)

S-1-5-80-1321940109-3370001082-3650459431-215109509-2472514016 - ADFS

S-1-5-80-2246541699-21809830-3603976364-117610243-975697593 – ADFS

 

After doing more research, I believe that at different points in time someone(s) install ADCS and ADFS on domain controllers. I could confirm the ADCS install since while that system has been demoted it has not decommissioned yet.  I was able to login to that system and see that ADCS was still installed. ADCS explains the SIDs associated with .net since IIS is also installed along with ADCS. Also, I could see the .Netv4.5, .Netv4.5 Classic and DefaultAppPool were all install on the former domain controller. This also explains why ISS_USRS was listed in the policy

 

 In regards to ADFS, another admin told me he installed ADFS on a DC once. Since then ADFS has been moved to dedicate servers.

 

We do have Exchange in our environment (production and lab) and while that was listed in the Default Domain Controller Policy it was not of a concern. Thanks for the feedback. It was much appreciated.

Resources