ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to find out who can change the membership of the Domain Admins group in Active Directory?


Member

Posts: 15
Date: Jun 22, 2011
How to find out who can change the membership of the Domain Admins group in Active Directory?
Permalink  
 


Hello Forum,

I would also like to know how we can find out who can change the membership of the Domain Admins groups in our Active Directory?

Is it simply a matter of finding out who all has the write-property permissions to the member property on the Domain Admins security group object, or is there anything else I should be looking at too?

We are in the midst of cleaning up our Active Directory, and seem to have too many Domain Admins, so we are trying to reduce that number as well as try and get some control of who can add their own account to this super powerful group.

We have generally been trying to analyze permissions in our Active Directory, but its such a mess, and we have quite a few Deny permissions as well, so I'm not actually sure which ones count and which ones don't and so I thought of asking.

Thanks for your help.

- Joe.



__________________
Don't mess with my Alienware!


Member

Posts: 16
Date: Jun 22, 2012
RE: How to find out who can change the membership of the Domain Admins group in Active Directory?
Permalink  
 


Joe,  

Have you considered writing scripts or using Powershell? Agreed, these may not be the most efficient or reliable way to go, but they're certainly A way.

Just my 2c.

Aaron.



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me