Domain Admin Users Audit

This is an interactive task that audits users with domain admin permissions in Active Directory.

A report is generated showing various statistics, including how many:

Users have domain admin permissions
Domain admin users have never logged on
Domain admin users have passwords older than 90 days

Playbook Files

# The task was built to work with these plugin versions.
plugins:
  ppa: ~6
  hashicorp_vault: ~5
  active_directory: ~7
  ppa_tools: ~6


steps:


  - name: Intro
    actions:

      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.active_directory.full }}


            ### Domain Admins Audit


            This task displays statistics about users with domain admin permissions in Active Directory.


      - ppa.ui.input_accept:
          text: Start


  - name: Get Secrets
    actions:

      - hashicorp_vault.key_value.read_secret_keys:
          secret: active_directory
          reason: Getting Active Directory details
          keys:
            - name: address
            - name: domain
            - name: username
            - name: password
              sensitive: true
          create_missing: true
        save: domain_controller


  - name: Find Domain Admins Group
    actions:

      - active_directory.groups.by_samaccountname:
          sAMAccountName: Domain Admins
        load:
          domain_controller: domain_controller
        save: group
        rescue:

          - ppa.ui.output_info:
              text: No domain admins group was found on the domain, goodbye!
            when: >
              "No group found" in rescue.error

          - exit:
              exit_code: 0
            when: >
              "No group found" in rescue.error

          - ppa.ui.output_error:
              text: "Searching Active Directory failed: {{ rescue.error }}"

          - exit:
              exit_code: 2


  - name: Audit Domain Admin Users
    actions:

      - ppa.ui.output_progress:
          text: Auditing domain admin users...
          percent: null
          element_id: auditing_users

      - active_directory.groups.get_users:
          nested: true
        load:
          distinguishedName: group.distinguishedName
          domain_controller: domain_controller
        save: all_users

      - active_directory.groups.get_users:
          nested: false
        load:
          distinguishedName: group.distinguishedName
          domain_controller: domain_controller
        save: direct_users

      - ppa.ui.output_progress:
          text: Audited domain admin users
          percent: 100
          element_id: auditing_users


  - name: Process Domain Admin Users
    actions:

      - ppa.ui.output_progress:
          text: Generating domain admin users report...
          percent: null
          element_id: generating_users_report

      - ppa_tools.dictionaries.filter_from_list:
          # Filter out all users who have a logon timestamp & count the remainder.
          filters:
            - key: lastLogonTimestamp
              value: null
              type: not
        load:
          dictionaries: all_users
        save: never_logged_on

      - count:
        load:
          item: all_users
        save: all_user_count

      - count:
        load:
          item: direct_users
        save: direct_user_count

      - ppa_tools.dictionaries.filter_from_list:
          # Filter out all unlocked users & count the remainder.
          filters:
            - key: is_locked
              value: false
              type: equal
        load:
          dictionaries: all_users
        save: locked_users

      - ppa_tools.dictionaries.filter_from_list:
          # Filter out all disabled users & count the remainder.
          filters:
            - key: is_enabled
              value: false
              type: equal
        load:
          dictionaries: all_users
        save: enabled_users

      - ppa_tools.dictionaries.filter_from_list:
          # Filter out all enabled users & count the remainder.
          filters:
            - key: is_enabled
              value: true
              type: equal
        load:
          dictionaries: all_users
        save: disabled_users

      - ppa_tools.dictionaries.filter_from_list:
          # Filter out all unexpired users & count the remainder.
          filters:
            - key: is_expired
              value: false
              type: equal
        load:
          dictionaries: all_users
        save: expired_users

      - eval:
          # Find & count the users whose password is older than 90 days.
          expression: >
            [u for u in all_users if u.get("password_age") is not None and (u.get("password_age").get("days") or 0) > 90]
        save: old_passwords

      - ppa.ui.output_progress:
          text: Generated domain admin users report
          percent: 100
          element_id: generating_users_report


  - name: Display Users Report
    actions:

      - ppa.ui.output_markdown:
          doc: >
            ## Domain Admin User Accounts


            ### User Memberships


            There are **{{ all_user_count }}** user accounts with Domain Admin permissions:

            - **{{ direct_user_count }}** of these users {{ 'has' if direct_user_count == 1 else 'have' }} a direct membership to Domain Admins.

            - **{{ all_user_count - direct_user_count }}** of these users are nested members of Domain Admins.


            ### Account States & Activity


            - **{{ enabled_users | length }}** {{ 'is' if enabled_users | length == 1 else 'are' }} enabled.

            - **{{ disabled_users | length }}** {{ 'is' if disabled_users | length == 1 else 'are' }} disabled.

            - **{{ locked_users | length }}** {{ 'is' if locked_users | length == 1 else 'are' }} locked.

            - **{{ expired_users | length }}** {{ 'has' if expired_users | length == 1 else 'have' }} expired.


            ### Password Hygiene


            - **{{ old_passwords | length }}** have a password older than **90 days**.

            - **{{ never_logged_on | length }}** have never logged on (based on the [lastLogonTimestamp](https://docs.microsoft.com/en-us/windows/win32/adschema/a-lastlogontimestamp) Active Directory attribute).

Running this Playbook

Click download playbook
Import the downloaded file via the Playbooks page on PPA
Build the playbook from the Edit & Build tab
Run the playbook from the Preview & Deploy tab

* Requires PPA v2.9.x or newer

Integrations

PPA User Interface
Hashicorp Vault Key-Value engine
Active Directory Users & Groups

Required Vault Details

Active Directory

IP/DNS address of a Domain Controller
Domain FQDN
Username
Password

The Active Directory credentials require permission to read user account information.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.

vault-config-wizard

Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

What the Task Does

Once started, this task will:

Find all users with a direct or nested membership to the domain admins group
Audit several account attributes & UAC flags for each user
Generate a report containing domain admin user statistics

See our other playbooks

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express

Documentation

Installation Guide
See how easy it is to get started with our installation guide
Playbooks
View our task writing reference guide
Plugins
See how to integrate with different systems using our plugins reference guide.