As you may know, lately Active Directory Security seems to have been getting a lot of attention from traditional network security / hacking / cyber security folks (both on the good and the not-so-good side), many of whom may actually be new to the subject of Active Directory Security, and most of whom seem to be primarily interested in identifying privileged users in Active Directory.
As you may also know, there are primarily two categories of admins that possess privileged access in Active Directory – those that are members of the default Active Directory administrative groups (e.g. Domain Admins) and thus have complete and unrestricted access, and those for whom varying levels of privileged access may have been delegated/provisioned in Active Directory.
Now, while identifying privileged users that may be members of the default administrative groups is straightforward, identifying exactly who is actually delegated what administrative privileges in Active Directory is not straightforward, and thus at many organizations, IT personnel often end up not taking delegated admins into account when identifying privileged users in Active Directory.
As a result, in many Active Directory deployments there are many accounts that may not be members of the default administrative groups, yet possess varying levels of privileged access in Active Directory, and in many cases, these accounts may have sufficient privileges so as to be able to either directly or indirectly control various unrestricted privileged accounts in Active Directory.
For instance, consider the domain user account of an individual named John Doe, who may not be a member of any default admin group in Active Directory, but for whom there may exist a security permission in the access control list (ACL) of the AdminSDHolder object that effectively grants him the Reset Password extended right and/or the Write-Property Member security permission. Even though John Doe isn’t a member of any default AD administrative group, he is for all practical purposes a Domain Admin since he has sufficient effective access so as to be able to reset every Domain Admin equivalent account’s password as well as sufficient effective access so as to be able to change the membership of every default administrative group in Active Directory!
It is such accounts that, those who may be new to the subject, have been referring to as Stealthy Admins in Active Directory, even though those who know Active Directory well know that there are merely delegated admin accounts and/or admin accounts for whom access may have been provisioned, and thus strictly speaking, there’s nothing stealthy about them. Nonetheless, to those who may be new to the subject, they may appear to be stealthy as they’re not members of the default administrative groups, which in a way perhaps make such accounts hard to identify.
To help these folks, and anyone else who might be interested in discovering stealthy admins in Active Directory, I recently penned this – How to Discover Stealthy Admins in Active Directory.