| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-224974 | CAT I | MONT-VSF-004 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl
Scan Date: 2026-01-14T12:57:30.046447
Technology Area: Windows Operating System
|
||||||||
| V-224974 | CAT I | MONT-VSF-003 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl
Scan Date: 2026-01-14T12:57:31.534241
Technology Area: Windows Operating System
|
||||||||
| V-224974 | CAT I | MONT-MB-002 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl
Scan Date: 2026-01-14T12:57:33.842838
Technology Area: Windows Operating System
|
||||||||
| V-224974 | CAT I | MONT-DP-001 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl
Scan Date: 2026-01-14T12:57:35.637816
Technology Area: Windows Operating System
|
||||||||
| V-224974 | CAT I | MONT-DC-003 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: D7A161EFD64DBDC717E086EA4DB84B3724C238CF ~~~~~ OU Name : ASHORE SUPPORT OU DN : OU=ASHORE SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteChild, DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : GROUPS OU DN : OU=GROUPS,OU=ASHORE SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : USERS OU DN : OU=USERS,OU=ASHORE SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : Disabled_Accounts OU DN : OU=Disabled_Accounts,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : GALSYNC OU DN : OU=GALSYNC,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\Authenticated Users ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : NT AUTHORITY\NETWORK SERVICE ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : NT AUTHORITY\SELF ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight AccessControlType : Allow IdentityReference : NT AUTHORITY\SYSTEM ActiveDirectoryRights : GenericAll AccessControlType : Allow --------------------- OU Name : MEMBER SERVERS OU DN : OU=MEMBER SERVERS,DC=MONTFORD-POINT,DC=navy,DC=mil --------------------- IdentityReference : BUILTIN\Account Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : BUILTIN\Administrators ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ListChildren AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : BUILTIN\Pre-Windows 2000 Compatible Access ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : BUILTIN\Print Operators ActiveDirectoryRights : CreateChild, DeleteChild AccessControlType : Allow IdentityReference : CREATOR OWNER ActiveDirectoryRights : Self AccessControlType : Allow IdentityReference : Everyone ActiveDirectoryRights : DeleteTree, Delete AccessControlType : Deny IdentityReference : MONTFORD-POINT\Delegated Setup ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Domain Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Admins ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Enterprise Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : ReadProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Servers ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : CreateChild, DeleteChild, ListChildren, ReadProperty, WriteProperty, ListObject AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Trusted Subsystem ActiveDirectoryRights : GenericAll AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : CreateChild AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : DeleteTree AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : ExtendedRight AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete AccessControlType : Allow IdentityReference : MONTFORD-POINT\Exchange Windows Permissions ActiveDirectoryRights : Delete, WriteDacl AccessControlType : Allow IdentityReference : MONTFORD-POINT\Key Admins ActiveDirectoryRights : ReadProperty, WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : WriteProperty AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericRead AccessControlType : Allow IdentityReference : MONTFORD-POINT\Organization Management ActiveDirectoryRights : GenericAll AccessControlType ---truncated results. met character limit---
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl
Scan Date: 2026-01-14T12:57:37.248886
Technology Area: Windows Operating System
|
||||||||
| V-224974 | CAT I | MONT-DB-002 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl
Scan Date: 2026-01-14T12:57:39.082634
Technology Area: Windows Operating System
|
||||||||
| V-224974 | CAT I | MONT-BE-002 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl
Scan Date: 2026-01-14T12:57:41.363810
Technology Area: Windows Operating System
|
||||||||
| V-224974 | CAT I | MONT-AP-002 | Microsoft Windows Server 2016 Security T... | Domain-created Active Directory Organizational Uni... | - | |||
Check TextThis applies to domain controllers. It is NA for other systems. Review the permissions on domain-defined OUs. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Ensure "Advanced Features" is selected in the "View" menu. For each OU that is defined (folder in folder icon) excluding the Domain Controllers OU: Right-click the OU and select "Properties". Select the "Security" tab. If the permissions on the OU are not at least as restrictive as those below, this is a finding. The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "Edit" or "View" button. Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The Special permissions for Authenticated Users are Read type. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The Special permissions for Pre-Windows 2000 Compatible Access are for Read types. If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions If an ISSO-approved distributed administration model (help desk or other user support staff) is implemented, permissions above Read may be allowed for groups documented by the ISSO. If any OU with improper permissions includes identification or authentication data (e.g., accounts, passwords, or password hash data) used by systems to determine access control, the severity is CAT I (e.g., OUs that include user accounts, including service/application accounts). If an OU with improper permissions does not include identification and authentication data used by systems to determine access control, the severity is CAT II (e.g., Workstation, Printer OUs). Fix TextMaintain the permissions on domain-defined OUs to be at least as restrictive as the defaults below. Document any additional permissions above Read with the ISSO if an approved distributed administration model (help desk or other user support staff) is implemented. CREATOR OWNER - Special permissions Self - Special permissions Authenticated Users - Read, Special permissions The special permissions for Authenticated Users are Read type. SYSTEM - Full Control Domain Admins - Full Control Enterprise Admins - Full Control Key Admins - Special permissions Enterprise Key Admins - Special permissions Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions Pre-Windows 2000 Compatible Access - Special permissions The special permissions for Pre-Windows 2000 Compatible Access are for Read types. ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions Finding DetailsEvaluate-STIG 1.2507.5 (Scan-WindowsServer2016_Checks) found this to be NOT APPLICABLE on 10/23/2025 ResultHash: F7DE991FB49346C9EC2F2DEEB9D564F37D7ACC9E ~~~~~ System is a 'Member Server' so this requirement is NA.
Source: _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl
Scan Date: 2026-01-14T12:57:42.721079
Technology Area: Windows Operating System
|
||||||||