V-224973
CAT IThe Active Directory Domain Controllers Organizational Unit (OU) object must have the proper access control permissions.
- Ships Affected
- 1
- Total Findings
- 8
- Open
- 0
- Closed
- 0
Check Text
This applies to domain controllers. It is NA for other systems.
Review the permissions on the Domain Controllers OU.
Open "Active Directory Users and Computers" (available from various menus or run "dsa.msc").
Select "Advanced Features" in the "View" menu if not previously selected.
Select the "Domain Controllers" OU (folder in folder icon).
Right-click and select "Properties".
Select the "Security" tab.
If the permissions on the Domain Controllers OU do not restrict changes to System, Domain Admins, Enterprise Admins and Administrators, this is a finding.
The default permissions listed below satisfy this requirement.
Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions and are not a finding.
The permissions shown are at the summary level. More detailed permissions can be viewed by selecting the "Advanced" button, the desired Permission entry, and the "View" or "Edit" button.
Except where noted otherwise, the special permissions may include a wide range of permissions and properties and are acceptable for this requirement.
CREATOR OWNER - Special permissions
SELF - Special permissions
Authenticated Users - Read, Special permissions
The special permissions for Authenticated Users are Read types.
If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
SYSTEM - Full Control
Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Enterprise Admins - Full Control
Key Admins - Special permissions
Enterprise Key Admins - Special permissions
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Pre-Windows 2000 Compatible Access - Special permissions
The Special permissions for Pre-Windows 2000 Compatible Access are Read types.
If detailed permissions include any Create, Delete, Modify, or Write Permissions or Properties, this is a finding.
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
Fix Text
Limit the permissions on the Domain Controllers OU to restrict changes to System, Domain Admins, Enterprise Admins and Administrators.
The default permissions listed below satisfy this requirement.
Domains supporting Microsoft Exchange will have additional Exchange related permissions on the Domain Controllers OU. These may include some change related permissions.
CREATOR OWNER - Special permissions
SELF - Special permissions
Authenticated Users - Read, Special permissions
The special permissions for Authenticated Users are Read types.
SYSTEM - Full Control
Domain Admins - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Enterprise Admins - Full Control
Key Admins - Special permissions
Enterprise Key Admins - Special permissions
Administrators - Read, Write, Create all child objects, Generate resultant set of policy (logging), Generate resultant set of policy (planning), Special permissions
Pre-Windows 2000 Compatible Access - Special permissions
The special permissions for Pre-Windows 2000 Compatible Access are Read types.
ENTERPRISE DOMAIN CONTROLLERS - Read, Special permissions
STIG Reference
- STIG
- Microsoft Windows Server 2016 Security Technical Implementation Guide
- Version
- 2
- Release
- 10
- Rule ID
- SV-224973r958726_rule
All Occurrences
This vulnerability appears on 1 ship(s)
| Ship | Hull # | Source File | Status | Assigned To | Scan Date | Actions |
|---|---|---|---|---|---|---|
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl | Unassigned | 2026-01-14T12:57:42.721079 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl | Unassigned | 2026-01-14T12:57:41.363810 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl | Unassigned | 2026-01-14T12:57:39.082634 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl | Unassigned | 2026-01-14T12:57:37.248886 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl | Unassigned | 2026-01-14T12:57:35.637816 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl | Unassigned | 2026-01-14T12:57:33.842838 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl | Unassigned | 2026-01-14T12:57:31.534241 | View in Context | |
| USNS MONTFORD POINT | T-ESD-1 | _Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl | Unassigned | 2026-01-14T12:57:30.046447 | View in Context |