Is Your Active Directory Vulnerable? Discover the Proven Cleanup-AdminCount Script to Fix Dangerous Orphaned Admin Rights
Table of Contents
What Is the Cleanup-AdminCount PowerShell Script?
The Cleanup-AdminCount PowerShell script, developed by Mark Heitbrink, is a robust tool designed for Windows system administrators to maintain a secure and healthy Active Directory (AD) environment. Its primary function is to identify and remove orphaned administrator accounts-accounts that retain elevated privileges but are no longer members of protected groups-thereby reducing security risks and administrative clutter.
Why Are Orphaned Admin Accounts a Problem?
Orphaned admin accounts often result from changes in group membership, where users are removed from protected groups but retain the AdminCount attribute set to 1. These accounts remain protected by the AdminSDHolder process, which prevents the inheritance of updated access control lists (ACLs), potentially leaving them with unnecessary or excessive permissions. If left unchecked, these accounts can become a significant security vulnerability, as they may be targeted by attackers seeking privileged access.
Key Features and Benefits of the Script
- Language-Independent: The script works seamlessly in any language environment, making it suitable for global organizations.
- Removes Orphaned AdminCounts: It scans for user objects in AD with the AdminCount attribute set, checks their current group memberships, and clears the attribute if they are no longer in protected groups.
- Enables ACL Inheritance: The script re-enables ACL inheritance for affected accounts, ensuring they receive the correct permissions from their parent objects.
- Repairs User Accounts: It fixes user accounts that were previously protected by the AdminSDHolder process but no longer require such protection.
- Uses Well-Known SIDs: Instead of relying on display names (which can vary by language), the script uses well-known Security Identifiers (SIDs) to accurately identify protected groups.
- Open Source & MIT Licensed: Freely available on GitHub, allowing customization and integration into existing workflows.
How Does the Script Work?
The script identifies all user accounts with the AdminCount attribute set to 1. It compares these accounts against current members of protected groups (such as Domain Admins, Enterprise Admins, etc.). Accounts with AdminCount=1 but not in any protected groups are flagged as orphaned. For each orphaned account, the script resets the AdminCount attribute to 0 and enables ACL inheritance, restoring standard permission propagation.
Why Should Administrators Use This Script?
- Enhances Security: By removing unnecessary admin privileges, the script helps close potential attack vectors.
- Simplifies Management: Automated cleanup reduces manual effort and administrative errors.
- Ensures Compliance: Keeps your AD environment aligned with security best practices and audit requirements.
Quick Implementation Steps
- Download the script from Mark Heitbrink’s GitHub repository (licensed under MIT).
- Review the documentation for usage instructions and parameter details.
- Run the script in your AD environment, ideally first in a test or staging environment.
- Review the output and confirm changes as needed.
The Cleanup-AdminCount PowerShell script is a vital tool for any Windows administrator seeking to maintain a secure, efficient, and compliant Active Directory. By automating the detection and correction of orphaned admin accounts, it helps you proactively safeguard your organization’s most critical assets.