Who can change the membership of the Domain Admins group?

Folks,

Hello. Today, I thought I would ask yet another very simple, fundamental and paramount cyber security question that impacts the foundational cyber security of over 85% of all business and government organizations worldwide.

Exactly who can change the membership of the Domain Admins group?

Today, at most organizations worldwide, most IT Teams, CISOs and IT Auditors may know exactly who the members of the Domain Admins group are, BUT very few of them know exactly who can change the membership of this all powerful group.





This is Paramount

The Domain Admins group in Active Directory holds the proverbial Keys to the Kingdom and anyone who could change the membership of the Domain Admins group could instantly cause a massive cyber security breach.

Here are 3 simple scenarios that could be instantly enacted
by anyone who could change this group's membership -

1. Add any account to membership of this group - Anyone who could add any account that they have control over to this group's membership would instantly have escalated their privilege to that of an all-powerful domain admin.


2. Add Everyone to the membership of this group - Anyone who could add the Everyone well-known security principal to this group would instantly have made all organizational user and computer accounts Domain Admins!


3. Remove all existing members from this group - Anyone who could remove all existing members could easily and instantly render an organization's existing Domain Admin accounts powerless.

Thus it is paramount that IT Teams, the CISO and IT Auditors at every organization that operates on Active Directory, know at all times, not just who is a member of this group today, but also exactly who can change the membership of this group.




The Answer (and a Simple Challenge)

In my next post on August 10, 2020, I'll share with you exactly how organizations can make this paramount determination.

Until then, here's a simple challenge - here is a simple ready-to-use Active Directory fictional deployment. Can you find out exactly how many accounts can change the membership of the Domain Admins group in this fictional AD deployment ?!

Best wishes,
Sanjay.


PS: Strictly speaking, Domain Admins is merely one of numerous such groups in Active Directory that possess all-powerful organization-wide privileged access. However, in the interest of simplicity, I've focused on the Domain Admins group here.