Nov 03 2023 06:30 AM - edited Nov 03 2023 06:43 AM
Hi!
I'm having an issue with "remove dormant accounts from sensitive groups" in Secure Score.
The sensors are installed on an old Active Directory domain, and i do not know the history of it. But i have several users that are removed from sensitive groups, but still remain in the list. And when checking the reason they get tagged as sensistive users in the Defender portal, the only reason listed is this:
"{Replicating Directory Changes permission on [{DomainReplicationAuthorizedIdsCount, plural, =0 {} =1 {{DomainReplicationAuthorizedIds}} other {# domains}}]{DomainReplicationAuthorizedIdsLinkify}}"
Has anyone been down this rabbit hole before and could shed some light on this issue?
Nov 05 2023 12:58 PM
@trond_kristiansen I am not sure how long you've waited after removing the groups, but I think you're aware it takes time for Secure Score to update. if it's longer than 24 hours, check the permissions for the account and groups in Actie Directory.
The permissions "Replicating Directory Changes permission" makes it possible to replicate all hashes for the entire domain which means a malicious actor has all "passwords" for all accounts within the domain. The attack is called "DC Sync" and it acts as a Domain Controller and synchronizes all hashes and other interesting information. By default, only Domain Administrators has "Replicating Directory Changes permission" permissions, but I recon the account does have these permissions as well.
If you open "Active Directory User and Computers" on a Domain Controller within the forest, right-click the domain and select "properties". On the security tab, check the effective permissions for the user and find out if it's the user or group which has permissions to replicate directory changes.
For more information you can check the following learn page:
If you have any questions, please let me know.
Nov 06 2023 07:10 AM
Nov 06 2023 12:25 PM - edited Nov 06 2023 12:26 PM
@trond_kristiansen I think it can, but looking at the message, I was assuming it's "Replicating Directory Changes permission" permission.
You can use the following PowerShell cmdlet to be sure (change the domain and user to your environment):
Import-Module ActiveDirectory
(Get-Acl "ad:\dc=domain,dc=local").Access | ? {$_.IdentityReference -match 'UserName' -and ($_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" -or $_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or$_.ObjectType -eq "89e95b76-444d-4c62-991a-0facbeda640c" ) }
This contains the following control access right:
Nov 08 2023 06:38 AM
Nov 08 2023 01:12 PM
@trond_kristiansen Aah ok. Didn't know you assumed about the permissions. Accounts become dormant if they are not used for a period of 180 days. There's a list of "sensitive groups" as well. I've created a blog post about this, maybe that helps:
https://thalpius.com/2023/07/11/microsoft-defender-for-identity-recommended-actions-remove-dormant-a...
Nov 08 2023 11:19 PM - edited Nov 08 2023 11:19 PM
Nov 10 2023 05:36 AM - edited Nov 10 2023 05:41 AM
I have the exact same problem with two accounts in our domain as well. The accounts used to be "Domain/Enterprise Admins", but have since been disabled, and all administrative access removed.
I've looked everywhere, and the accounts does not have the "Replicating Directory Changes permission" anywhere.
The powershell commands shows nothing for the two affected accounts, but shows (correctly) that a full Domain/Enterprise Admin has those rights.
Så either the Defender for Identity sensor, triggers on something else, or there is some bug in the detection routines.
I've had accounts previously, where I've removed administrative access, and the "Removed dormant accounts from sensitive groups" has cleared fine.
Nov 10 2023 08:16 AM
Dec 11 2023 06:34 AM
Jan 11 2024 03:47 AM
Jan 31 2024 06:59 AM
Feb 29 2024 05:24 AM
SolutionFeb 29 2024 06:01 AM
@Jings yes mine too! It seems finally MS have fixed this
Feb 29 2024 06:59 AM
Feb 29 2024 05:24 AM
Solution