Marc
Marc
Chadmcox has a great script here https://github.com/chadmcox/ADPoSh/blob/master/Privileged%20Objects/FindandFixADObjectswithStaleAdminSDHolder.ps1 This checks all users with Admin Count 1 and then cross references with the group memberships and shows the difference. Only thing is...
Ah okay. Yeah I saw the check in the script but the results made me a bit confused because it was showing all and not just the incorrect ones.
I seem to recall it showing ALL accounts with Admin Count 1 regardless of them belonging to a built in privileged group. That's what prompted me to explore it more...
Yeah that's what I thought it was supposed to do but the results that came back showed all accounts whether they really belonged to a priveleged group or not. It...
Oh I'm sorry I misunderstood. I thought it should only show me accounts with Admin Count set to 1 that do not belong to a privileged group. Yes it is...
Okay understood. Thank you so much for this! I've learned a bunch more ever since going over the results these past few days. Awesome work 👍
By the way, results came back and yes it's showing all accounts with AdminCount set to 1, not just orphaned.
It does show different results (the second command has a shorter list) and is looking at the IsMember column it appears. However, these accounts ARE members of privileged groups. I'm...
Yes precisely. Here's an example of what is shown (details are ficticious). Word wrap made it messy. DistinguishedName Domain IsMember Admincount AdminCountDate Whencreated ObjectClass GroupDomain GroupDistinguishedname ----------------- ------ -------- ----------...
Chad's version comes back with 1 group and 3 users but it does not show what the accounts are.