Security Focus: Get Mail Enabled Admin Users

Browsing the internet with an admin account is a very, very bad thing to do. Using an admin account to send / receive email is also a very, very bad thing. Why? Well you expose the credentials to a high risk of being stolen and used to compromise your enterprise.

Want do to some checks against Active Directory to see if you have any privileged accounts, i.e. those that are a member of one of the protected groups, that might be mail enabled? Good. Read on...

Here's a means of generating a list for further investigation.

 
Get-ADUser -Filter {(adminCount -eq 1) -and (mail -like "*")} -Properties adminCount,mail

Have Exchange? Try this.

 
Get-ADUser -Filter {(adminCount -eq 1) -and (msExchWhenMailboxCreated -like "*")} -Properties adminCount,msExchWhenMailboxCreated

Instant Messaging also poses a significant risk. He's how to check for SIP enabled admin users.

 
Get-ADUser -Filter {(adminCount -eq 1) -and (msRTCSIP-PrimaryUserAddress -like "*")} -Properties adminCount,msRTCSIP-PrimaryUserAddress

Found an issue? Look into securing privileged access...