| Hostname | IP Address | Status | Assigned To | Last Scan | Actions |
|---|---|---|---|---|---|
| MONT-DC-003 | 164.231.187.34 | 2026-01-14 | |||
Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryForest_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 909250FAC5A80BC1161A07D6B15B371F54411F1B ~~~~~ ========================= Name: MONTFORD-POINT\SHB_Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\d.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\montford.exchange objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\MONTFORD-POINT LAN Management objectClass: group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1193 DistinguishedName: CN=MONTFORD-POINT LAN Management,OU=GROUPS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\MONTFORD-POINT Techs objectClass: group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1194 DistinguishedName: CN=MONTFORD-POINT Techs,OU=GROUPS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Comments |
|||||
Check Text
Open "Active Directory Users and Computers" on a domain controller in the forest root domain. Navigate to the "Users" container. Right-click on "Schema Admins" and select "Properties", and then select the "Members" tab. If any accounts other than the built-in Administrators group are members, verify their necessity with the ISSO. If any accounts are members of the group when schema changes are not being made, this is a finding.
Fix Text
Limit membership in the Schema Admins group to only those accounts necessary during a schema update. Remove accounts when the updates are complete. Document accounts necessary during schema updates with the ISSO.