| Vuln ID | Severity | Asset | STIG | Title | Status | Doc Status | Assigned To | Actions |
|---|---|---|---|---|---|---|---|---|
| V-243502 | CAT II | MONT-DC-003 | Active Directory Forest Security Technic... | Membership to the Schema Admins group must be limi... | Documented Pending Review | |||
Check TextOpen "Active Directory Users and Computers" on a domain controller in the forest root domain. Navigate to the "Users" container. Right-click on "Schema Admins" and select "Properties", and then select the "Members" tab. If any accounts other than the built-in Administrators group are members, verify their necessity with the ISSO. If any accounts are members of the group when schema changes are not being made, this is a finding. Fix TextLimit membership in the Schema Admins group to only those accounts necessary during a schema update. Remove accounts when the updates are complete. Document accounts necessary during schema updates with the ISSO. Finding DetailsEvaluate-STIG 1.2507.5 (Scan-ActiveDirectoryForest_Checks) was unable to determine a Status but found the below configuration on 10/23/2025: ResultHash: 909250FAC5A80BC1161A07D6B15B371F54411F1B ~~~~~ ========================= Name: MONTFORD-POINT\SHB_Admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-500 DistinguishedName: CN=SHB_Admin,CN=Users,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\d.admin objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1104 DistinguishedName: CN=D.Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\montford.exchange objectClass: user objectSID: S-1-5-21-1360995287-4027491577-3040029667-1118 DistinguishedName: CN=Exchange Admin,OU=USERS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\MONTFORD-POINT LAN Management objectClass: group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1193 DistinguishedName: CN=MONTFORD-POINT LAN Management,OU=GROUPS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil Name: MONTFORD-POINT\MONTFORD-POINT Techs objectClass: group objectSID: S-1-5-21-1360995287-4027491577-3040029667-1194 DistinguishedName: CN=MONTFORD-POINT Techs,OU=GROUPS,OU=MONTFORD-POINT SUPPORT,DC=MONTFORD-POINT,DC=navy,DC=mil
Source: _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_ADForest_V3R2_20251023-171845.ckl
Scan Date: 2026-01-14T12:57:36.607366
Technology Area: Domain Name System
|
||||||||