Identify Groups with Local Admin Rights

Group Policy provides the ability, via Restricted Groups, to enforce local group membership such as the Administrators groups on all computers in an OU. This can be tracked back by identifying the GPOs that are using restricted groups and the OUs they are applied to. This provides the AD groups that have admin rights and the associated list of computers.

Using PowerView, you can identify GPOs that include Restricted Groups

Get-NetGPOGroup

Once you have that information, we can check what to what OUs the GPOs link using the PowerView cmdlet 'get-netOU'

Get-NetOU -guid “E9CABE0F-3A3F-40B1-B4C1-1FA89AC1F212”
LDAP://OU=Servers,DC=lab,DC=adsecurity,DC=org

Get-NetOU -guid “45556105-EFE6-43D8-A92C-AACB1D3D4DE5”
LDAP://OU=Workstations,DC=lab,DC=adsecurity,DC=org

Next, we identify the computers in these OUs

Get-ADComputer -filter * -SearchBase "OU=Servers,DC=lab,DC=adsecurity,DC=org"

Get-ADComputer -filter * -SearchBase "OU=Workstations,DC=lab,DC=adsecurity,DC=org"

PreviousDiscover Admin Accounts NextDiscovery External Email Addresses

Last updated 9 months ago