Is this possible?
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
We recently had to terminate a network engineer who at one time stated he had hidden accounts in Active Directory using the ADSI? I'm just curious if this is actually possible, and if so, how can I find these accounts? What user attribute allows you to do this...etc.???
Comments
-
Slowhand
Mod Posts: 5,161 Mod
I'm sure someone like royal or sprkymrk can answer this question better than I can in terms of technical how-to, but there is a way to create "sort-of-hidden" accounts in ASDI using VBScript, (or PowerShell these days). The user won't show up in AD Users & Computers, but you can still see the account on an ACL if it's given access to a folder or file, and I believe that the user would be listed in any group it belongs to.
Free Microsoft Training: Microsoft Learn
Free PowerShell Resources: Top PowerShell Blogs
Free DevOps/Azure Resources: Visual Studio Dev Essentials
Let it never be said that I didn't do the very least I could do. -
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
This might be a starting point:
http://www.mail-archive.com/activedir@mail.activedir.org/msg37337.html
http://www.microsoft.com/technet/serviceproviders/wbh4_5/CMSU_CM_Plan_PROC_Use_Manual_Steps_to_Set_Active_Directory_to_List_Object_Mode.mspx?mfr=true
You can use ADSI as a programming interface, but anyone can load ADSIEdit from the support tools and tinker around with things with a GUI. -
royal
Member Posts: 3,352 ■■■■□□□□□□
You can hide objects others just using regular security permissions within ADUC. Try looking through the security rights for deny in ADUC.“For success, attitude is equally as important as ability.” - Harry F. Banks -
Claymoore
Member Posts: 1,637
I assume that when they said hidden they didn't mean hidden from Exchange Address Book. That would just be lame.
I also doubt that a 'hidden' account was made a member of any of the standard powerful groups such as domain admins, account operators, etc. because it would be too easy to find. That would just be stupid.
If any of the 'hidden' accounts were given delegated authority over any OUs, then the DSREVOKE tool (available here) can scan and report users or groups that have delegated authority over an OU.
Hypothetically speaking, if I were going to go to all the trouble of using ADSIedit to hide an account, I would give that account some delegated authority because that is very hard to track. Then again, this admin may not really be that smart which is why they were fired in the first place.