Security Focus: Orphaned AdminCount -eq 1 AD Users

AdminSDHolder and AdminCount have appeared in a few recent posts. In fact, in addition to this post, I've got another one on this topic lined up. It'll be the last (for now), I promise!

Anyway, to business...

It's long been known that objects that have been marked as AdminCount = 1 can become orphaned.

Capture165

 

Consider this: a user is stamped with an AdminCount of 1, as a result of being added to Domain Admins; the user is removed from Domain Admins; the AdminCount value persists. In this instance the user is considered as orphaned. The ramifications? The AdminSDHolder ACL will be stamped upon this user every hour to protect against tampering. In turn, this can cause unexpected issues with delegation and application permissions.

 

How do we report on these orphaned objects?

 #Find admincount = 1 users not in an admincount = 1 group
$Findings = Get-ADUser -Filter {AdminCount -eq 1} | ForEach-Object {

    if ((!(Test-ADPrincipalProtectedGroupMembership -Principal $_)) -and (!($_.Name -like "krbtgt"))) {

        $_

    }   #End of if

}   #End of ForEach-Object

#If $Findings is populated, export to CSV
if ($Findings) {

    #Get short domain name
    $DomainName = (Get-ADDomain).Name.ToUpper()
    $Findings | Export-Csv -Path ".\$($DomainName)_USER_ADMINCOUNT_EQUALS_ONE_AND_NOT_PROTECTED_GROUP_MEMBER.csv"

}   #End of if ($Findings)

 

In this instance, we use Get-ADUser with a simple filter to pull back any users with an AdminCount of 1. We could change the AD cmdlet to grab other object types, e.g. use Get-ADGroup. One we have these objects we pipe them into my Test-ADPrincipalProtectedGroupMembership function, which can be found here . It has to be loaded into memory for this little code sample to work. If a user isn't a member of a protected group then they are considered orphaned and included in the CSV report.