# Discover Admin Accounts

## Admin Discovery

There are two effective methods for discovered accounts with elevated rights in Active Directory.  The first is the standard group enumeration method which identifies all members of the standard Active Directory admin groups:&#x20;

* Domain Admins
* Administrators
* Enterprise Admins

Getting a recursive group membership for the domain "Administrators" group will provide a list of all AD admins.

The second method involves identifying all accounts which have the attribute "AdminCount" set to 1.  The caveat to this is that there may be accounts returned in this query which no longer have admin rights since this value isn't automatically reset once the account is removed from the admin groups. &#x20;

### Admin Discovery via AdminCount Attribute

{% code overflow="wrap" %}

```powershell
Get-ADUser -filter {AdminCount -eq 1} -Properties Name,AdminCount,ServicePrincipalName,PasswordLastSet,LastLogonDate,MemberOf
```

{% endcode %}

### Find Admin Groups

Most organizations have custom admin groups which have different naming schemes, though most include the word "admin".  Asking AD for all security groups with "admin" in the name is a quick way to get a list

```powershell
Get-ADGroup -filter {GroupCategory -eq 'Security' -AND Name -like "*admin*"}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://harutomo-jp.gitbook.io/notes/microsoft-windows/active-directory-ad/recon/powershell-.net-recon/discover-admin-accounts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.