Active Directory Least Privileges

Owned by Ryan Seymour
Last updated: May 06, 2024
4 min read

"Active Directory Least Privileges" is a term used to describe the practice of providing users with the minimum level of access rights necessary to perform their job duties within the Active Directory network. This approach helps to reduce the risk of security breaches and protects sensitive data by limiting access to only those who require it.

Overview

This document details the minimum rights and privileges required for configuring the specific components for Auditing and the steps required to complete the configuration for a successful setup.

Minimum Rights Required

  1. A Domain User Account.

  2. This account should be a member of the “Event Log Readers” group inside AD.

  3. This account should be a member of the local “Administrators” Group.

Setting up the Account Privileges

User Creation

  1. Within the Active Directory Users and Computers, generate a new user account in the Users folder located inside the domain selected. e.g ad.mycybercns.com.

  • Please complete all the required fields, including First Name, Last Name, and User Logon Name, and then click Next.

  • Set your password, confirm it by re-entering, and then proceed by clicking Next. Select the required settings to set a password for the user, e.g. User must change the password at the next logon.

  • A new user will be created upon clicking the Finish button, as demonstrated in the image below.

  • To edit the properties of the newly created user, right-click on the created user's profile and select Properties, as shown below. This could be used to add users to be a member of different groups.

  • To add the created user to a new group, click on the Add button within the Member Of section.

  • To make this user a part of Event log readers gr oup, please choose the Event Log Readers group from the list to read the generated event logs, and then click OK.

  • The Event Log Readers group will be added to the Member Of section along with domain user for the created user as illustrated below.

Manual Method

  • The created user is to be added to multiple systems on the network so Probe Agent will use these credentials to login to remote systems and scan them successfully. Below is to be run on all the systems which are to be scanned using Probe Agent.

  • To enable remote admin share (admin$) access, you'll need to ensure that the user is a member of the local "Administrators" group. This group has the necessary privileges to access admin shares remotely.

  • On the target system, type MMC in the Run panel and click OK to add this user for local users and groups snap in.

  • Click on Add/Remove Snap-ins in File menu.

  • Select Local Users and Groups from the dropdown menu in the available snap-ins section and then Click OK.

  • Choose the computer for this snap-in management, and select Local computer or any other computer. You can only select one computer at a time.

  • Select local computer or another computer from the list and click OK.

  • Enter the name of the computer and click Finish.

  • Then it will prompt to the Groups page.

  • Select Administrators and please right-click on Administrators to select Properties.

  • Click on Add in General. Please enter the object name (email) that was used during the user's initial creation then click OK.

  • This will help set the created user as a local administrator on that system.

 

Automated Method

  • The created user is a part of the local administrator group of the systems. To run this using an automated method/PowerShell script, use the below PowerShell script.

  • Please change the domain and user names shown as examples in the Powershell script.

Once the User is created, the below script will help create the User’s properties on all the targeted machines.

This completes the Active Directory Least Privileges document.