Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-243487 | AD.0240 | SV-243487r959010_rule | CCI-000366 | medium |
| Description | ||||
| Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD functions. Unnecessary membership increases the risk from compromise or unintended updates. Members of these groups must specifically require those privileges and be documented. | ||||
| STIG | Date | |||
| Active Directory Domain Security Technical Implementation Guide | 2024-09-13 | |||
Details
Check Text (C-243487r959010_chk)
Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc").
Review the membership of the "Incoming Forest Trust Builders" group.
Navigate to the "Built-in" container.
Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab.
If any accounts are not documented as necessary with the ISSO, this is a finding.
Review the membership of the "Group Policy Creator Owner" group.
Navigate to the "Users" container.
Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab.
If any accounts are not documented as necessary with the ISSO, this is a finding.
It is possible to move some system-defined groups from their default locations. If a group is not in the location noted, review other containers to locate.
Fix Text (F-46719r723495_fix)
Document membership of the Group Policy Creator Owners and Incoming Forest Trust Builders groups. Remove any accounts that do not require the privileges these groups assign.