Privileged Users in Active Directory

Intro

‘Privileged’ accounts and groups in Active Directory are those to which powerful rights, privileges, and permissions are granted that allow them to perform nearly any action in Active Directory and on domain-joined systems.” (from Appendix B: Privileged Accounts and Groups in Active Directory ).

If you’re managing an Active Directory domain, You’d better keep an eye on those groups. If you’d like to know more, head to adsecurity.org. Sean Metcalf is an never ending well of knowledge (link).

Task for today

Long time ago I had a script that was looking at Privileged Groups and printed out current privileged users as well as changes in last 24 hours. Today I decided to do a re-write and wrap it into functions. The task is fairly simple:

• One function to get all privileged users
• One function to get changes

Those should be capable of running against different domains as well.

The Raw meat

Get-PrivilegedUsers

To get the Privileged Groups I will be using a filter 'AdminCount -eq 1'. Then I’ll just loop through each group and get all members. The output will contain samaccountname and Name of the user, the group it belongs to and DomainController that was queried:

Get-PrivilegedGroupChanges

Similar as before I’ll get all Privileged Groups with the same filter. Then I’ll use replication attribute metadata Get-ADReplicationAttributeMetadata and LastOriginatingChangeTime on members to select only those who changed in last $Hours.