Discover Admin Accounts

Admin Discovery

There are two effective methods for discovered accounts with elevated rights in Active Directory. The first is the standard group enumeration method which identifies all members of the standard Active Directory admin groups:

Domain Admins
Administrators
Enterprise Admins

Getting a recursive group membership for the domain "Administrators" group will provide a list of all AD admins.

The second method involves identifying all accounts which have the attribute "AdminCount" set to 1. The caveat to this is that there may be accounts returned in this query which no longer have admin rights since this value isn't automatically reset once the account is removed from the admin groups.

Admin Discovery via AdminCount Attribute

Get-ADUser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf

Find Admin Groups

Most organizations have custom admin groups which have different naming schemes, though most include the word "admin". Asking AD for all security groups with "admin" in the name is a quick way to get a list

Get-ADGroup -filter {GroupCategory -eq 'Security' -AND Name -like "*admin*"}

PreviousDiscover Computers without Network Scanning NextIdentify Groups with Local Admin Rights

Last updated 9 months ago