Is this possible?

We recently had to terminate a network engineer who at one time stated he had hidden accounts in Active Directory using the ADSI? I'm just curious if this is actually possible, and if so, how can I find these accounts? What user attribute allows you to do this...etc.???

Find more posts tagged with

Comments

Slowhand

I'm sure someone like royal or sprkymrk can answer this question better than I can in terms of technical how-to, but there is a way to create "sort-of-hidden" accounts in ASDI using VBScript, (or PowerShell these days). The user won't show up in AD Users & Computers, but you can still see the account on an ACL if it's given access to a folder or file, and I believe that the user would be listed in any group it belongs to.

jbaello

I would love to know this!

dynamik

This might be a starting point:

http://www.mail-archive.com/activedir@mail.activedir.org/msg37337.html

http://www.microsoft.com/technet/serviceproviders/wbh4_5/CMSU_CM_Plan_PROC_Use_Manual_Steps_to_Set_Active_Directory_to_List_Object_Mode.mspx?mfr=true

You can use ADSI as a programming interface, but anyone can load ADSIEdit from the support tools and tinker around with things with a GUI.

royal

You can hide objects others just using regular security permissions within ADUC. Try looking through the security rights for deny in ADUC.

Claymoore

I assume that when they said hidden they didn't mean hidden from Exchange Address Book. That would just be lame.

I also doubt that a 'hidden' account was made a member of any of the standard powerful groups such as domain admins, account operators, etc. because it would be too easy to find. That would just be stupid.

If any of the 'hidden' accounts were given delegated authority over any OUs, then the DSREVOKE tool (available here) can scan and report users or groups that have delegated authority over an OU.

Hypothetically speaking, if I were going to go to all the trouble of using ADSIedit to hide an account, I would give that account some delegated authority because that is very hard to track. Then again, this admin may not really be that smart which is why they were fired in the first place.