When creating a new user for one of our clients I was asked to copy an existing user what I had finished creating that user I went to see which Active Directory groups he belonged to and was shocked to find how many groups he was in.
In fact, as you can see in the screen shot to the right, you can view what domain groups a user belongs to in the Active Directory GUI just by:
- launch Active Directory Users and Computers
- double click on the user in question
- click the MEMBER OF tab
But take a look at the scroll bar and you’ll see just how many groups this DBA belongs to… waaaay too many.
Common sense rules require the least privilege to be granted to a user and then and this person has everything including Enterprise Admin.
There were pages and pages of groups this person this person belonged to so I needed a command line something I could use in Powershell or CMD or Windows Terminal to list all of the groups this user was a member of. It turns out to be a very simple command:
net user /domain [user]
You can see in the screenshot above that this user had two full columns of group memberships in active directory. That puts him into 60 different groups. surely that is not necessary for a new database administrator.
At this point we were able to highlight this over credentialing to manager. The manager then stripped out about 80% of those groups which substantially reduces the attack surface and helps to keep this client safe.
2 Comments
SOLVED: Easy Way To Export a List What Groups You Are A Member Into a Text File – Up & Running Technologies, Tech How To's · September 18, 2023 at 5:19 pm
[…] As you can see in the screenshot above, we are using the whoami command, but you can also use net user as we explain here. […]
SOLVED: During a Logon Attempt the Users Security Context Accumulated Too Many Security ID’s – Up & Running Technologies, Tech How To's · September 18, 2023 at 5:03 pm
[…] Active Directory has a maximum of 1000 Security ID’s (SID’s) per user, which roughly translates to 1000 groups. […]