| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-243477 | CAT II | MONT-DC-003 | Active Directory Domain Security Technic... | User accounts with domain level administrative pri... | Documented Pending Review | |||
Check TextOpen "Windows PowerShell". Enter "Get-ADDomain | FL DomainMode" to determine the domain functional level. Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc"). Compare membership of the Protected Users group to membership of the following groups. By default, the groups are under the node referenced; however, it is possible to move those under "Users" to another location. Enterprise Admins (Users node) Domain Admins (Users node) Schema Admins (Users node) Administrators (Builtin node) Account Operators (Builtin node) Backup Operators (Builtin node) It is recommended that one account be excluded to ensure availability if there are issues with Kerberos. Excluding the account left out for availability, if all user accounts from the local domain that are members of the domain level groups above are not also members of the Protected Users group, this is a finding. (User accounts is referring to accounts for personnel, not service accounts.) Fix TextAdd user accounts from the local domain that are members of the domain level administrative groups listed below to the Protected Users group. One account may excluded to ensure availability if there are issues with Kerberos. Enterprise Admins (Users node) Domain Admins (Users node) Schema Admins (Users node) Administrators (Builtin node) Account Operators (Builtin node) Backup Operators (Builtin node) The use of the Protected Users group should be thoroughly tested before fully implementing. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryDomain_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 314B6E5CF1F8B145CB057FCD5D58C475C8C3C370 ~~~~~ Accounts are missing from 'Protected Users'. Only service accounts and one (1) user account with domain level administrative privileges may be excluded. Please confirm for compliance. Users Missing From 'Protected Users' Group ============================================ Name: MONTFORD-POINT\adsmith.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1249 DistinguishedName: CN=Smith\, Alexander D.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\Alexandra.M.Perl objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1160 DistinguishedName: CN=Perl\, Alexandra M.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\altucker.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1224 DistinguishedName: CN=Tucker\, Adam L.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins Name: MONTFORD-POINT\amperl.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1638 DistinguishedName: CN=ADMIN\, AMPerl,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\ANOC.FIM objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1203 DistinguishedName: CN=FIM\, ANOC,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\d.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\DOD_Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1000 DistinguishedName: CN=DOD_Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators Name: MONTFORD-POINT\iwgonzalez.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1242 DistinguishedName: CN=Gonzalez\, Ian W.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\jrsanders.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1253 DistinguishedName: CN=Sanders\, James R.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins Name: MONTFORD-POINT\jtbegarek.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1212 DistinguishedName: CN=IA ADMIN\, JTBegarek,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\MONT-EM-Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1157 DistinguishedName: CN=MONT-EM-Admin,OU=SERVICE ACCOUNTS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins Name: MONTFORD-POINT\Montford.backup objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1614 DistinguishedName: CN=Backup,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators Name: MONTFORD-POINT\montford.exchange objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\RDRivera.IAADMIN objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1213 DistinguishedName: CN=Rivera\, RJ,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\scan.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1192 DistinguishedName: CN=Scan Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\SHB_Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\tagavrilovic.iaadmin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1231 DistinguishedName: CN=Gavrilovic\, Tyler A.\, CTR,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins Name: MONTFORD-POINT\Thomas.L.Jones objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1176 DistinguishedName: CN=Jones\, Thomas L.\, CTR,OU=USERS,OU=MONTFORD-POINT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Enterprise Admins, Schema Admins Name: MONTFORD-POINT\TLJones.Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1250 DistinguishedName: CN=Jones\, Thomas L.\, Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil MemberOf: Administrators, Domain Admins, Enterprise Admins, Schema Admins
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADDomain_V3R5_20251023-171837.ckl
Scan Date: 2026-01-14T12:57:36.435963
Technology Area: Domain Name System
|
||||||||