none
Domain Trust

    Question

  • I have been working on audit clean up in my organization and have run into a scenario that I am not sure about. I have a 2 way trust between domain and by default it will create a hidden account within the default " Users " container as a hidden object. Well this will raise a flag during audit as there should be no privileged accounts within the container. Can I move this account out of the Users container without breaking domain trust in anyway  ? Or does it have to reside in that container as a hidden object ??

    Here is the Finding

    Privileged account in default user container

    Best Practice Guidance

    Vulnerability

    Privileged accounts residing in the CN=Users container are not subject to Group Policy in the granular way they might be when residing in an OU (GPO cannot be linked to containers CN=). The entire network may be at risk when privileged accounts are unmanaged or managed in the same way as regular users.

    Potential Impact

    Failing to segregate privileged accounts using dedicated OUs increases the administrative overhead and may exclude them from granular management with specific policies.

    Countermeasure

    Microsoft recommends all administrative, generic and service accounts be organized in an appropriate Organizational Unit (OU) structure. Grouping these accounts in Organizational Units (OU) will permit better control of administrative privileges by applying appropriate Group Policy.

    Segregating administrative accounts also facilitates automated monitoring and auditing of these powerful objects.

     



    • Edited by GregDron Friday, January 13, 2017 6:53 PM
    Friday, January 13, 2017 6:52 PM

Answers

  • It all depends of the permissions you have set on the container. If only domain admins have the right to manage it then I do not a see a problem. I do not advise making changes on this service account but, if you still want to move it, I would advise to test this first in a test environment to see if there are any side effects.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by GregDron Wednesday, January 18, 2017 3:43 PM
    Sunday, January 15, 2017 11:52 PM

All replies

  • The foreign security principal objects created as a result of trusts should not be modified. I don't know if moving them would break anything but I wouldn't touch them.

    Tell your auditors to go bury there nose in this article - https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

    Friday, January 13, 2017 7:04 PM
  • It all depends of the permissions you have set on the container. If only domain admins have the right to manage it then I do not a see a problem. I do not advise making changes on this service account but, if you still want to move it, I would advise to test this first in a test environment to see if there are any side effects.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by GregDron Wednesday, January 18, 2017 3:43 PM
    Sunday, January 15, 2017 11:52 PM