Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Find Computers where Domain Users are Local Admin - Request to verify possible false-positive #676

Open
IllllIIIIIIII opened this issue Jun 18, 2023 · 1 comment

Comments

@IllllIIIIIIII
Copy link

IllllIIIIIIII commented Jun 18, 2023

Hi all,
scenario (no loopback is configured, no block inheritance, no enforcement, no item-level targeting, no wmi-filter, no delegation to deny GPO apply):

OU = Country, has linked GPO1 which has Computer settings Restricted Groups to add Built-In Domain Users into computers local Builtin\Administrators group. *GPO Status: Computer configuration settings disabled

OU Country, has Sub OU City, to OU City the linked GPO2 has Computer settings Local Users and Groups, to add a manually created AD Group to computers local Built-In Administrators groups.

Result on computer: In local built-in administrators group the manually created ad group gets added.

Result on Bloodhound, for query "Find Computers where Domain Users are local Admins":
"Domain Users" has AdminTo "[Computer-FQDN]"

My guess is here, indeed calculation knows about restricted group takes precedence versus local users and groups settings (although it is linked to sub ou Edit01-Start:, if gpupdate /force Edit01-End), but what seems missing here is the fact that the computer settings are disabled under GPO Status.

Can may someone please verify described scenario or may someone can already state if the logic when GPO status is set on disabling the computer settings part, that this is covered during the calculation of the final result (in this context Restricted Groups versus Local Users and Groups behaviour?

In case you need more information from me, please let me know.

BR,
IllllIIIIIIII

@JonasBK
Copy link
Contributor

JonasBK commented Jun 28, 2023

Hi @IllllIIIIIIII,

I have confirmed the bug. We do not take the GPO status into account. At least not "Computer configuration settings disabled".
Thanks for reporting this, we will get it fixed 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants