Who are shadow admins?
Shadow admins are those users who are not members of any administrative group but still have sensitive privileges like full control or have been delegated sensitive tasks like reset password, change permission, change the properties of a user, full control access, etc.

How does a shadow admin gain additional privileges and why should you be concerned?
These privileges were probably assigned to the users for a specific need, reason or project, but have not been revoked; might have inherited these permissions from any group that they belong to, or might have even been assigned inadvertently and can be used to gain access to other privileged accounts and resources. This could compromise the security of the organization as a whole.

How can you identify and remove shadow admins?
This can be solved by constant vigilance and monitoring of Active Directory user account permissions and privilege access management practices. While manually sifting through the permissions of every user in an organization is a gruelling task, ADManager makes this simple with pre-defined object specific reports that can be generated, exported and scheduled without scripting.

How to view the permissions that a user or a group has over other objects?

1. Logon to ADManager Plus.


2. Navigate to Reports > Security Reports > AD Objects accessible by Accounts


3. Select the domain and the groups or the users you wish to view the permissions for.


4. Select 'Any Permission' to view all the permissions that the user might have.


5. Click Generate.

Note:

1. If you want to schedule this report to be sent to the manager or security team's mailbox, you can do so by clicking the Schedule Reports button on the top right corner of the page.


2. You can also export this report as a PDF, HTML, CSV, CSVDE or XSLX file by clicking the Export Report button.

Tune in next week for another article to help you manage your AD better.

Cheers,

Team ADManager Plus.