| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) found this to be OPEN on 10/23/2025 ResultHash: 1852EDAFFD0549867EBD2E419B98256759732803 ~~~~~ Members of 'Enterprise Admins' ========================= Name: MONTFORD-POINT\Alexandra.M.Perl objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1160 DistinguishedName: CN=Perl\, Alexandra M.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\altucker.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Name: MONTFORD-POINT\amperl.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Name: MONTFORD-POINT\d.admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Schema Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\jrsanders.iaadmin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Remote Desktop Users Name: MONTFORD-POINT\MONT-EM-Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Domain Administrator Group Domain Admins [FINDING] Remote Desktop Users Administrators [FINDING] Name: MONTFORD-POINT\montford.exchange [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Organization Management Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\SHB_Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: Group Policy Creator Owners Domain Admins [FINDING] Schema Admins [FINDING] Administrators [FINDING] Name: MONTFORD-POINT\Thomas.L.Jones objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1176 DistinguishedName: CN=Jones\, Thomas L.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT ENG MONTFORD-POINT ALL HANDS MONTFORD-POINT RADIO MONTFORD-POINT LAN Management MONTFORD-POINT EO Name: MONTFORD-POINT\TLJones.Admin [FINDING] objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil OtherMemberOf: MONTFORD-POINT LAN Management Member Server Administrator Group Domain Administrator Group Domain Admins [FINDING] Remote Management Users Comments |
|||||
Check Text
Review the Enterprise Admins group in Active Directory Users and Computers. Any accounts that are members of the Enterprise Admins group must be documented with the IAO. Each Enterprise Administrator must have a separate unique account specifically for managing the Active Directory forest. If any account listed in the Enterprise Admins group is a member of other administrator groups including the Domain Admins group, domain member server administrators groups, or domain workstation administrators groups, this is a finding.
Fix Text
Create the necessary documentation that identifies the members of the Enterprise Admins group. Ensure that each member has a separate unique account that can only be used to manage the Active Directory Forest. Remove any Enterprise Admin accounts from other administrator groups.