Forum Discussion
Remove dormant accounts from sensitive groups
Hi!
I'm having an issue with "remove dormant accounts from sensitive groups" in Secure Score.
The sensors are installed on an old Active Directory domain, and i do not know the history of it. But i have several users that are removed from sensitive groups, but still remain in the list. And when checking the reason they get tagged as sensistive users in the Defender portal, the only reason listed is this:
"{Replicating Directory Changes permission on [{DomainReplicationAuthorizedIdsCount, plural, =0 {} =1 {{DomainReplicationAuthorizedIds}} other {# domains}}]{DomainReplicationAuthorizedIdsLinkify}}"
Has anyone been down this rabbit hole before and could shed some light on this issue?
- On the 15th of february 2024, the two accounts I had listed as affected by "Remove dormant accounts from sensitive groups" finally cleared, and the Secure Score was updated as "Completed"
I have not changed anything for months, so I presume this is a fix thats rolled out from MS?
Can anyone else confirm this?
trond_kristiansen I am not sure how long you've waited after removing the groups, but I think you're aware it takes time for Secure Score to update. if it's longer than 24 hours, check the permissions for the account and groups in Actie Directory.
The permissions "Replicating Directory Changes permission" makes it possible to replicate all hashes for the entire domain which means a malicious actor has all "passwords" for all accounts within the domain. The attack is called "DC Sync" and it acts as a Domain Controller and synchronizes all hashes and other interesting information. By default, only Domain Administrators has "Replicating Directory Changes permission" permissions, but I recon the account does have these permissions as well.
If you open "Active Directory User and Computers" on a Domain Controller within the forest, right-click the domain and select "properties". On the security tab, check the effective permissions for the user and find out if it's the user or group which has permissions to replicate directory changes.
For more information you can check the following learn page:
If you have any questions, please let me know.
- thalpius, thank you for your response.
Unfortunatly, the users in question does not have has "Replicating Directory Changes permission" permissions on the domain, so i'm still a bit lost.
Could it be other attributes or permissions it triggers on?trond_kristiansen I think it can, but looking at the message, I was assuming it's "Replicating Directory Changes permission" permission.
You can use the following PowerShell cmdlet to be sure (change the domain and user to your environment):
Import-Module ActiveDirectory (Get-Acl "ad:\dc=domain,dc=local").Access | ? {$_.IdentityReference -match 'UserName' -and ($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or$_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" ) }This contains the following control access right:
- DS-Replication-Get-Changes-All
- DS-Replication-Get-Changes
- DS-Replication-Get-Changes-In-Filtered-Set
- I have the same issue, user previously had Enterprise Admin and admincount=1, has since been removed from all groups, I've tried setting admincount to null and 0, no security permissions on the account allow replicating directory changes yet it's still listed in the "remove dormant accounts from sensitive groups" in Secure Score and marked as sensitive in AAD.
I even tried removing the user from the sync to delete from AAD and then adding back but this did not work.
Did anyone find a workaround for this?- This evaluation by MS just doesn't appear to be completely accurate. My MSOL account for AD connect keeps showing up.
- On the 15th of february 2024, the two accounts I had listed as affected by "Remove dormant accounts from sensitive groups" finally cleared, and the Secure Score was updated as "Completed"
I have not changed anything for months, so I presume this is a fix thats rolled out from MS?
Can anyone else confirm this?- Same result here! My list is down from about 20 accounts to 3, so it seems to be fixed! 🙂
Jings, thank you for bringing this to my attention!
