Basic question regarding using powershell to determine who has Domain admin privledges

Copper Contributor

I know this must be very basic, but I am weak in my powershell skills. 
I have a domain that I inherited that may have people with domain admin privileges that were assigned to their account as apposed to being added to an OU.  
For example:
I used this command but it only returns those who are in the active directory OU Domain admins:
Get-ADGroupMember -Server "your-domain" -Identity "Domain Admins" -Recursive | Get-ADUser | Select Name, Enabled

I know for a fact that there are at least 10 accounts that I have found that have domain admin privileges who are not in that group. 

Is there a better command that I could run?

1 Reply

@Lise Quinn 


Hi, Lise.


That command is fine for such a basic requirement.


At a technical level, it's clunky simply because there's a lot of double- and triple-handling under the hood, but that only matters when you're dealing with a large number of objects, which you won't be for this scenario.


There's at least two other groups you should also audit:


  • Administrators;
  • Enterprise Admins.


I would also argue it's important to audit the following group, as while it might look less important to the uninitiated, it's analogous to an iceberg:


  • Schema Admins.


Lastly, I would prefer to use the userPrincipalName or even sAMAccountName (I avoid this where possible in this cloud era) ahead of "Name", as "Name" is not required to be unique across Active Directory, whereas the former two attributes are.


This would change your script subtly to:


Get-ADGroupMember -Server "your-domain" -Identity "Domain Admins" -Recursive | Get-ADUser | Select userPrincipalName, Enabled


Note: If you choose to use userPrincipalName, be aware that the built-in Administrator user does not have a value for userPrincipalName by default (since it's not mandatory), as per my example below. This isn't important, but I figured I'd mention it anyway.


It'd be highly unusual for your actual users to not have a userPrincipalName though.