Pseudo domain admins | Trend Micro Service Central

Views:

Learn about pseudo domain admins and how to mitigate this type of identity-related risk.

Pseudo domain admins are user accounts that do not belong to privileged Active Directory admin groups, but have domain administration privileges equivalent to membership in the admin groups. These user accounts indirectly acquired the privileges via misconfigured Active Directory access control lists. The existence of these accounts might lead to potential risks in your environment.

To mitigate the risk of pseudo domain admins, Trend Micro recommends:

Remove pseudo domain admins from any relevant groups that grant sensitive privileges.
If there are multiple relationships between a pseudo domain admin and a genuine domain admin, start by deleting the relationships that are closer to the genuine domain admin.