An organization that I work with has a domain administrator that is departing and concerns have been raised surrounding potential remnant accounts. The DA is leaving on good terms, but has been entrenched for an extended period of time with little to no oversight of his activities.
Does anyone have any knowledge of a tool, whitepaper, etc that would assist me in guiding the replacement administrator through ensuring any lingering privileged accounts are identified?
Unfortunately, I'm not sure that there is a "tool" for this.
Let me clear it up a bit. What exactly do you use your domain for?
If it's used for workstations and servers authentication, I would check membership of groups: Domain Admins, Enterprise Admins, Schema Admins, Hyper-V Administrators (the full list of the default domain groups is here, but not all of them are privileged and have to be checked). Then I'd look at GPO to understand if there is a policy defining local admins on workstations/servers. If the policy or policies exist I'd check the membership of this groups.
On the other hand, if you have any services using AD as a central authentication point (like Share Point, Atlassian suit, etc.), you have to explore this services in more details to get names of privileged accounts and groups.
You have to do the same if you're using AD as a RADIUS server for your network equipment.
Hope it'll help a little.
I am having similar issues - there has been created other "custom groups" that may - most likely have almost domain Admin privileges. I am not a domain Admin so it is difficult to find out how "powerful" these groups are.
i have been searching for s LDAP or Powershell script to extract the privileges of these groups but been striking out. I have seen some examples but I cannot get them to execute. I am not an AD expert - did do AD administration over 10 years ago and of course things have changed.
if I can get a script to work - I will post it
If you're working with an AD infrastructure that wasn't done properly /documented, you may have a hard time, and would want to start by getting a list of the privileged accounts using PowerShell.
Once you've gotten the list, either audit the accounts specifically, otherwise set up auditing for privileged login events.
Just to close the loop on this. I have found a few solutions that offer this functionality, and no clear path to completing a full audit with Powershell.
So far, my leading candidate is Paramount Defenses' AD Privileged Access Auditor tool, but I have not tested it. I'm hopeful for budget in early 2020 and will post an update with which tool I end up using.
A good tool that I use is AD Info - http://www.cjwdev.co.uk/Software/ADReportingTool/Info.html
It is fast easy and cost-effective. it is a simple way of pulling quick reports without running PowerShell scripts. It gives you quite a bit of information that is relevant to AD.
I have never used Paramount Defenses, but the screens and information from what I see look similar.
A client within New Zealand has been using Quest for this very purpose for some years, and is very happy with this solution: https://www.quest.com/solutions/active-directory/
You may want to check it out.