About adminCount

[noraj]

Users who have AdminCount=1 are not necessarily domain admins (DA).

ADenum/ADenum.py

Lines 279 to 282 in fbbe14d

	def GetDomainAdmin(self)->None:
	printTitle("[-] Users who are Domain Admin")
	OBJECT_TO_SEARCH = '(&(objectCategory=user)(adminCount=1))'

So this section should probably be renamed Privileged domain accounts.

The following table lists Active Directory’s default protected object sets, including the groups that may induce an update of the AdminCount attribute on its members:

I would be nice to do another query to find DA only. You can filter the DA group with (&(objectclass=group)(CN=Domain Admins)) and then get all users (&(objectclass=user)(MemberOf=$($_.DistinguishedName))) from that group.

Ref.

• https://learn.microsoft.com/en-us/windows/win32/adschema/a-admincount
• https://blog.netwrix.com/2022/09/30/admincount_attribute/