Nov 20 2023 05:33 PM
I know this must be very basic, but I am weak in my powershell skills.
I have a domain that I inherited that may have people with domain admin privileges that were assigned to their account as apposed to being added to an OU.
For example:
I used this command but it only returns those who are in the active directory OU Domain admins:
Get-ADGroupMember -Server "your-domain" -Identity "Domain Admins" -Recursive | Get-ADUser | Select Name, Enabled
I know for a fact that there are at least 10 accounts that I have found that have domain admin privileges who are not in that group.
Is there a better command that I could run?
Nov 20 2023 06:03 PM
Hi, Lise.
That command is fine for such a basic requirement.
At a technical level, it's clunky simply because there's a lot of double- and triple-handling under the hood, but that only matters when you're dealing with a large number of objects, which you won't be for this scenario.
There's at least two other groups you should also audit:
I would also argue it's important to audit the following group, as while it might look less important to the uninitiated, it's analogous to an iceberg:
Lastly, I would prefer to use the userPrincipalName or even sAMAccountName (I avoid this where possible in this cloud era) ahead of "Name", as "Name" is not required to be unique across Active Directory, whereas the former two attributes are.
This would change your script subtly to:
Get-ADGroupMember -Server "your-domain" -Identity "Domain Admins" -Recursive | Get-ADUser | Select userPrincipalName, Enabled
Note: If you choose to use userPrincipalName, be aware that the built-in Administrator user does not have a value for userPrincipalName by default (since it's not mandatory), as per my example below. This isn't important, but I figured I'd mention it anyway.
It'd be highly unusual for your actual users to not have a userPrincipalName though.
Cheers,
Lain