netwrix/pingcastle

Primary group ID change for Domainc Controllers - false posetive

Relkci opened this issue · 1 comments

Relkci commented

I have a case where Domain Controller computer accounts are getting flagged as having a changed primary group id.

It appears that Domain Controllers that have the default primary group ID 516 are reporting having a changed primary group ID if their parent does not contain "OU=Domain Controllers". It is possible that Domain Controllers would not be in a OU named Domain Controllers.

Steps to re-create:
Domain controller object in nested OU where DN does not contain "OU=Domain Controllers"

Expected Behavior
Domain Controller with primary group id 516 in any OU is not reported as having a changed/non-default primary group id.

Actual Behavior:
Domain controllers are marked as "Objects having the primary group attribute changed"

Possible correction:
An enabled DC should have UAC 532480, or specifically the 8192 bitflag (SERVER_TRUST_ACCOUNT)
532480 == TRUSTED_FOR_DELEGATION + SERVER_TRUST_ACCOUNT

Related Healthcheck.cs:
https://github.com/vletoux/pingcastle/blob/51412bf7ad13c861d78b95707f762403364af3a8/Healthcheck/Healthcheck.cs#L418

yes, but because GPO applies to OU, this is the case for the special OU "Domain Controllers".
(the "Default Domain Controllers" GPO is hardcoded into MS-ADTS - GUID: {6AC1786C-016F-11D2-945F-00C04FB984F9})
We do not recommend to have DC outside of this OU