How to Check if AD Users Have Default Permissions

By /

Listen to this Post

Active Directory (AD) user permissions must be regularly audited to prevent unauthorized access. Below are PowerShell commands and scripts to verify user permissions and identify excessive privileges.

1. Check User Group Memberships

Standard users should only belong to Domain Users. Elevated groups like Domain Admins or Enterprise Admins indicate excessive privileges.

Get-ADUser -Identity "username" -Properties MemberOf | Select-Object -ExpandProperty MemberOf
  1. Verify Delegated Permissions in Organizational Units (OUs)

Check if custom permissions are applied to OUs:

dsacls "OU=Finance,DC=domain,DC=com"

Look for unusual Write, Full Control, or Modify permissions.

3. Check Direct User Object Permissions

Users should inherit permissions from OUs, not have direct assignments:

dsacls "CN=John Doe,OU=Users,DC=domain,DC=com"

4. Detect Local Admin Rights on Workstations

Check if a user has local admin access on machines:

Invoke-Command -ComputerName "PC-Name" -ScriptBlock { 
Get-LocalGroupMember -Group "Administrators" 
}

5. Bulk Audit All AD Users

Export all users and their group memberships for analysis:

Get-ADUser -Filter  -Properties MemberOf | 
Select-Object Name, SamAccountName, @{Name="Groups";Expression={$_.MemberOf -join "; "}} | 
Export-Csv -Path "AD_User_Audit.csv" -NoTypeInformation

You Should Know:

  • Find Users in Privileged Groups: 
    Get-ADGroupMember "Domain Admins" | Select-Object Name, SamAccountName

  • Check GPO Modifications: 

    Get-GPOReport -All -ReportType Html -Path "GPO_Report.html"

  • Detect Inactive Users (Security Risk): 

    Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | Where-Object { $_.Enabled -eq $true }

  • Reset Suspicious User Permissions: 

    Set-ADUser -Identity "username" -Replace @{MemberOf=$null}

What Undercode Say:

Regular AD permission audits prevent privilege escalation attacks. Use PowerShell automation to enforce least privilege. Key Linux/Windows commands for security audits:

  • Linux (AD-Integrated): 
    ldapsearch -x -H ldap://domain-controller -b "dc=domain,dc=com" "(objectClass=user)" memberOf

  • Windows (Advanced Threat Hunting): 

    Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4624]]" | Where-Object { $_.Message -match "Admin" }

  • Check Scheduled Tasks (Malware Check): 

    Get-ScheduledTask | Where-Object { $_.Principal.UserId -ne "SYSTEM" }

  • Detect Pass-the-Hash Attempts: 

    Get-WinEvent -LogName Security -FilterXPath "[System[EventID=4768 or EventID=4769]]"

Expected Output:

A structured CSV/HTML report of AD users, group memberships, and abnormal permissions for compliance reviews.

References:

Reported By: Luiz Henrique – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: