ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


ActiveDirSec.Org -> Active Directory Admin Accounts & Groups Security -> How to find out who can change the membership of the Domain Admins group in Active Directory?
Post Info TOPIC: How to find out who can change the membership of the Domain Admins group in Active Directory?
Joe


Member

Status: Offline
Posts: 5
Date: Jun 22, 2011
How to find out who can change the membership of the Domain Admins group in Active Directory?
 
 

Hello Forum,

I would also like to know how we can find out who can change the membership of the Domain Admins groups in our Active Directory?

Is it simply a matter of finding out who all has the write-property permissions to the member property on the Domain Admins security group object, or is there anything else I should be looking at too?

We are in the midst of cleaning up our Active Directory, and seem to have too many Domain Admins, so we are trying to reduce that number as well as try and get some control of who can add their own account to this super powerful group.

We have generally been trying to analyze permissions in our Active Directory, but its such a mess, and we have quite a few Deny permissions as well, so I'm not actually sure which ones count and which ones don't and so I thought of asking.

Thanks for your help.

- Joe.



__________________
Don't mess with my Alienware!
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.
ActiveDirSec.Org -> Active Directory Admin Accounts & Groups Security -> How to find out who can change the membership of the Domain Admins group in Active Directory?
Post to Facebook Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me