verify who can amend an AD groups membership

crib bar 841 Reputation points
2024-04-12T09:00:54.14+00:00

For a data protection audit, we need an accurate report on which AD accounts have the relevant permissions to amend (e.g. add or remove) members into some specific AD security groups. We don't want to assume it is just the usual default groups such as domain admins, when delegations may have been applied for more junior admins such as helpdesk. What is the most reliable way of gathering such information, and which specific permissions would we need to check for that allow amendment to a group membership, assuming the AD permissions are more generic and similar to NTFS, such as 'modify' etc. This is for traditional on-prem classic AD, not Entra.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,565 questions
0 comments No comments
{count} votes

Accepted answer
  1. Wesley Li 9,175 Reputation points
    2024-04-12T10:00:20.07+00:00

    Hello

    To verify who can amend an Active Directory (AD) group’s membership, you can use a combination of built-in Windows tools and specific permissions checks. Here are the steps you can follow:

    Delegate Control Wizard: You can use the Delegate Control Wizard in Active Directory Users and Computers (ADUC) to delegate permissions to junior admins or other groups. This tool allows you to specify which permissions (such as Create, Delete, Manage User Accounts, and Modify the Memberships of Groups) a group or user has.

    ManagedBy Attribute: You can specify the managedBy attribute and check the box for “Manager can update membership list”. This grants write permission for the Member attribute. The people who need to edit the group may be able to do it with the DSQuery widget.

    Check Permissions: To check the specific permissions that allow amendment to a group membership, you can edit the advanced security on that group, add your service account and then when selecting the permissions you want to add on the properties tab (not the default objects tab) you need: Apply to: This object only Allow: Read Members, Write Members.

    Active Directory Auditing: You can also enable Active Directory auditing to track changes made to AD objects, including group membership changes. This can provide a historical record of who has amended a group’s membership.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.