Making sure Active Directory administrative security groups are secured

When it comes to Active Directory security, you do not want to compromise. In fact, many organizations are buying security products to check for loopholes in Active Directory. Though companies are buying these security products, it is certainly not true that all the products are designed to check all security components of Active Directory. Some products might include 100 checks to be performed as part of the security health check of an Active Directory environment. Some products might miss a simple health check item that is necessary to be performed. For example, a product might have forgotten to check to make sure administrative security groups of Active Directory are secured. This is where this article comes handy. As part of this article, we provide a PowerShell script that can be used to check members in the administrative security groups and report the status in a CSV file.

What are administrative security groups?

In Active Directory, the security groups that have highest privileges are called administrative security groups. To name a few they are domain admins, enterprise admins, backup operators, and server operators, and administrative security groups. The administrative security groups define the administrative boundary. For example, domain admins can manage all the objects of an Active Directory domain whereas member of enterprise admins can manage complete Active Directory infrastructure including updating the Active Directory forest schema.

What checks to be done as part of administrative security groups?

When it comes to perform health check of administrative security groups, you may want to check following items:

  • Administrative security groups should not contain more than 20 members in each. For example, keeping 20 members in enterprise admins security group makes no sense as members of enterprise admins security groups is the highest privileged security group in an Active Directory forest. Anyone who is member of enterprise admins security group has the power to control all aspects of an Active Directory forest environment. Similarly, Domain Admins security group should not contain too many members.
  • Secondly, Administrative Security Groups should only contain authorized users or users from a specified organizational unit.

While it is easy to check the number of members in each administrative security groups, checking to make sure members contain only from a specified organizational unit requires a little work to be done.

How to check?

One of the ways to check is to log on to a domain controller in the Active Directory domain, open Active Directory Users and Computers snap-in and then check each administrative security group to ensure it follows the standards highlighted in above section. If you have many administrative security groups to be checked it may take considerable amount of time. It might take more time when you need to ensure that all administrative security groups contain the members from an authorized list.

Using PowerShell

To check a single administrative security group, you can run the PowerShell command below. The command provides a list of members added to the security group and number of members added to the security group:

SecGroup ="Domain Admins"
$GroupMem = Get-ADGroupMember -Identity "$ItemName"
$GroupMem
$TotNowCount = $GroupMem.Count
$TotNowCount

As you can see in the above PowerShell command, it provides members list as well as count for the Domain Admins security group. If you would like to check the for multiple security group, you can use the tiny PowerShell script below. You must specify the security groups to be checked in C:\Temp\Groups.DPC file. Please note the script can only retrieve group members and count from Active Directory domain to which the current computer is joined to.

$ReportFile = "C:\Temp\GroupReport.CSV"
Remove-Item $ReportFile -ErrorAction SilentlyContinue
$STR = "GroupName, TotMembers, Member"
Add-Content $ReportFile $STR
$GrpMem="C:\Temp\Groups.DPC"
Foreach ($ItemName in Get-Content "$GrpMem")
{
$TotMems = Get-ADGroupMember -Identity "$ItemName"
$TotNowCount = $TotMems.Count
$FinalVal=$ItemName+","+$TotNowCount+","+$TotMems
Add-Content "$ReportFile" $FinalVal
}

Once the PowerShell script has finished executing, you can see a report under “C:\Temp\GroupReport.CSV,” which contains the name of the administrative security group, total members in the group, and name of each member as it is shown in the screenshot below:

administrative security groups

As you can see, the output script reported two security groups: domain admins and server operators. Both security groups contain more than 20 members — each containing 34 and 20 members respectively. The output also includes the name of the member included in each security group. However, the script does not perform the check to make sure members belong to an authorized list.

How to ensure security groups contain only authorized members

To ensure administrative security groups contain only authorized members, you need to have another PowerShell script. As part of the PowerShell script you will create a CSV file that contains the list of authorized members against each security group and then check against the list retrieved by using the script above. The automatic checking of group members can easily be done by using Administrative Security Groups Checker tool designed by Ossisto365.com. The tool supports checking administrative security groups in all domains in an Active Directory forest, supports checking health status of each security group, and also supports executing the check based on a schedule you specify as you can see in the screenshot below. The PowerShell commands we used were fetched from the Administrative Security Groups Checker tool.

Keep your administrative security groups secure

As part of this article, we explained why it is necessary to perform security checks on administrative security groups. Anybody who is part of administrative security groups can add other members easily, but you as an authorized person should perform health check of administrative security groups to ensure only authorized users are part of these groups. We provided a PowerShell script that can be used to collect members in each security group. However, to ensure groups contain only authorized members you can use Administrative Group Checker Tool.

Featured image: Shutterstock

1 thought on “Making sure Active Directory administrative security groups are secured”

  1. Nirmal, you say “member of enterprise admins can manage complete Active Directory infrastructure including updating the Active Directory forest schema” but it is very wrong. Members of the enterprise admins group cannot update AD schema. Only members of the Schema Admins group can do it.

Leave a Comment

Your email address will not be published.

Scroll to Top