{"id":4941,"date":"2025-12-02T20:03:00","date_gmt":"2025-12-03T01:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4941"},"modified":"2026-02-27T13:15:33","modified_gmt":"2026-02-27T18:15:33","slug":"active-directory-domain-permissions","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4941","title":{"rendered":"Active Directory Security Tip #15: Active Directory Domain Root Permissions"},"content":{"rendered":"\n<p>This week let&#8217;s look at Active Directory domain permissions which are configured on the domain root and apply to the domain. There are many different type of concerning permissions, but let&#8217;s look at the most egregious. <\/p>\n\n\n\n<!--more-->\n\n\n\n<ul class=\"wp-block-list\">\n<li>Directory Changes &amp; Directory Changes All &#8211; provides the ability to pull password hashes for users and computers (aka DCsync permissions). <\/li>\n\n\n\n<li>Change Owner &#8211; provides the ability to set the owner on the domain root and the owner has the ability to set permissions. <\/li>\n\n\n\n<li>Change Permission &#8211; provides the ability to set permissions on the domain root. <\/li>\n\n\n\n<li>Full Control &#8211; provides the ability to control any type of object in the domain. <\/li>\n\n\n\n<li>Full Control on Users and\/or Computers &#8211; provides the ability to control the object type.<\/li>\n<\/ul>\n\n\n\n<p>I wrote a PowerShell script leveraging the Active Directory PowerShell module that can help identify these permissions on the domain root: <a href=\"https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Get-DomainRootPermissions.ps1\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Get-DomainRootPermissions.ps1<\/a><\/p>\n\n\n\n<p>For more on Active Directory permissions: <br><a href=\"https:\/\/t.co\/F0ydpgCE5D\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/hub.trimarcsecurity.com\/post\/trimarc-whitepaper-owner-or-pwnd<\/a> <br><a href=\"https:\/\/t.co\/vLp3BunQjK\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/specterops.io\/wp-content\/uploads\/sites\/3\/2022\/06\/an_ace_up_the_sleeve.pdf<\/a> <\/p>\n\n\n\n<p>For more on DCSync: <a href=\"https:\/\/t.co\/RQh4NnBq5c\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/adsecurity.org\/?p=1729<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This week let&#8217;s look at Active Directory domain permissions which are configured on the domain root and apply to the domain. There are many different type of concerning permissions, but let&#8217;s look at the most egregious.<\/p><p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=4941\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,11,7],"tags":[20,1469,1552,1551],"class_list":["post-4941","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-microsoft-security","category-powershell","tag-activedirectory","tag-activedirectorysecuritytip","tag-adpermissions","tag-domain-root-permissions","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4941","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4941"}],"version-history":[{"count":4,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4941\/revisions"}],"predecessor-version":[{"id":4963,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4941\/revisions\/4963"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4941"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4941"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4941"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}