How to Safely Clean Up Active Directory Permissions?

By
Keven Krok
-
0
14
Asked By TechWhiz42 On

I've been managing the infrastructure at my new company for about five months now, and we just had our first penetration test. It uncovered some serious Active Directory (AD) permissions issues that could potentially be exploited to gain domain administrator access. These problems apparently existed for years, and since the holiday is approaching, I haven't rushed into making any changes yet, but I'm gearing up for Monday to tackle it.

I found that many permissions are set on the Everyone group at the root of the domain and there are quite a few strange permission grants in place. Given we don't have any specific needs beyond standard default permissions right now, my question is: What's the safest way to reset or clean up these permissions?

I've thought about spinning up a fresh domain for reference on default settings, but I'm worried about the risk of breaking something or locking us out. I realize I should have checked this earlier, but the things I found are just baffling! To kick things off, I plan to set fresh Directory Services Restore Mode (DSRM) passwords for the domain controllers and create backups. However, we currently don't have specific AD backups in place. Any advice would be greatly appreciated!

4 Answers

Answered By BackupNinja101 On

Definitely backup Active Directory before doing anything else! Make a solid plan before making any changes. You might want to clean up those default admin groups (like Enterprise Admin and Schema Admin) as well. Remember to allow time for replication between any changes.

Answered By SysAdminGuru On

I think waiting until after the holidays is a smart move. The penetration test report should provide some guidance on fixing these issues, so don't rush into any changes just yet.

Answered By NewDomainExplorer On

It could be a bit radical, but have you considered the option of starting fresh with a new domain? It might save you a lot of hassle, but I know it’s a massive undertaking with all the users involved.

Answered By PingCastleFan On

If you can run tools like Pingcastle, that can really help you visualize the issues and how to fix them. The pentester might have run something similar, but once you get the final report, it will provide deeper insights.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.