🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Find High-Privileged Admin Accounts in Active Directory

When organizations don’t have clear visibility into privileged admin access in Active Directory, they risk losing control over critical systems. Since these privileged group memberships often change quietly during role changes or emergency fixes and go unnoticed, continuous monitoring is essential. This guide shows how to identify users in privileged admin groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins to maintain control over admin access.

List All Users in Built-in Privileged Admin Groups Using ADUC

Active Directory Permission Required
Domain Users Least Privilege
Enterprise Admins Most Privilege
  • Open the Active Directory Users and Computers (ADUC) console, then right-click on Saved Queries in the left pane, and select New»Query.
  • Provide a suitable name and description for the query, ensure that the Include subcontainers checkbox is selected, and click on Define Query.
  • Select Custom Search from the Find drop-down and navigate to the Advanced tab. Next, enter the following LDAP filter query after replacing <DomainDistinguishedName> with your domain’s distinguished name.
    (&(objectCategory=person)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Administrators,CN=Builtin,<DomainDistinguishedName>)(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,<DomainDistinguishedName>)(memberOf:1.2.840.113556.1.4.1941:=CN=Enterprise Admins,CN=Users,<DomainDistinguishedName>)(memberOf:1.2.840.113556.1.4.1941:=CN=Schema Admins,CN=Users,<DomainDistinguishedName>)))
  • Click OK to define the query, then click OK again to save and close the configuration window.
  • This saved query lists all users in Domain Admins, Schema Admins, Enterprise Admins groups, and Buit-in Administrators in your Active Directory whenever you select it.
List All Users in Built-in Privileged Admin Groups Using ADUC
Note: To view all admin groups a user belongs to, right-click the user account, choose Properties, and open the Member Of tab.

Get Active Directory Privileged Admin Accounts Using PowerShell

Active Directory Permission Required
Account Operators Least Privilege
Enterprise Admins Most Privilege
  • The Saved Queries help you identify privileged admins in Active Directory, but not the groups they belong to. You still need to check each user’s Member Of tab to view their admin group memberships, which makes the process time-consuming.
  • To overcome this limitation, we developed a PowerShell script that exports all admins’ built-in privileged group membership details to a CSV file.
  • If the machine is not a domain controller, install the RSAT tools for ADUC and import the module using the following cmdlet.
  • Windows PowerShell Windows PowerShell
     Import-Module ActiveDirectory
  • Next, run the following PowerShell script excerpt to export all privileged admins and their administrative group membership details from Active Directory. Before running the script, make sure to replace <FilePath> with the desired file path to export the CSV file.
  • Windows PowerShell Windows PowerShell
     $PrivGroups = "Administrators","Domain Admins","Enterprise Admins","Schema Admins" 
    $Admins = foreach ($Group in $PrivGroups) { 
        try {
            $GroupObj = Get-ADGroup -Identity $Group -ErrorAction Stop
        }
        catch {
            continue 
        } 
        Get-ADGroupMember -Identity $Group -Recursive -ErrorAction SilentlyContinue | Where-Object objectClass -eq "user" | ForEach-Object { 
            Get-ADUser $_.SamAccountName -Properties Enabled, UserPrincipalName, WhenCreated | 
            Select-Object Name, SamAccountName, UserPrincipalName, DistinguishedName, ObjectGUID, @{Name = 'Group';  Expression = { $Group } },@{ Name = 'GroupDN'; Expression = { $GroupObj.DistinguishedName } }, Enabled, WhenCreated 
        } 
    } 
    $FinalReport = $Admins | Group-Object SamAccountName | ForEach-Object { 
        [PSCustomObject]@{       
            Name                            = $_.Group[0].Name 
            SamAccountName     = $_.Name 
            UserPrincipalName   = $_.Group[0].UserPrincipalName 
            DistinguishedName  = $_.Group[0].DistinguishedName 
            ObjectGUID               = $_.Group[0].ObjectGUID 
            GroupMembership = ($_.Group.Group | Sort-Object -Unique) -join ", " 
            GroupCount              = ($_.Group.Group | Sort-Object -Unique).Count 
            GroupDNs                  = ($_.Group.GroupDN | Sort-Object –Unique | ForEach-Object { "($_)" }) -join ", " 
            AccountStatus         = $_.Group[0].Enabled 
            UserCreationTime   = $_.Group[0].WhenCreated 
        } 
    } 
    $FinalReport | Export-Csv -Path "<FilePath>.csv" -NoTypeInformation
Get Active Directory Privileged Admin Accounts Using PowerShell
Note: You can add or remove groups in the $PrivGroups array to retrieve members of specific privileged admin groups.

Gain Centralized Visibility into Built-in Privileged Accounts and Groups in Active Directory!

AdminDroid’s Active Directory reporting tool provides detailed insights into accounts and groups with extensive privileges across your entire Active Directory forest. With holistic reports and collective dashboards, it helps you track administrative access changes, review built-in privileged role assignments, and identify potential privilege escalation risks.

Reveal Risky Admin Role Assignments in Active Directory

Fetch all roles assigned to admins in Active Directory to ensure only necessary privileges are granted and proactively reduce the risk of privilege escalation.

Detect All Privileged Accounts to Fortify Security Posture

Monitor all Active Directory privileged accounts to identify administrators with additional privileged group memberships and remove them if they are not required.

Identify and Remove Inactive Admin Accounts to Reduce Attack Surface

Check for inactive admin accounts in Active Directory regularly and remove them to eliminate unnecessary privileges that attackers commonly target.

Find Admin Accounts with Old Passwords to Prevent Account Takeover

Leverage the users with outdated passwords report to identify admins using the same password for too long and enforce timely password changes to safeguard from password spray attacks.

Stay Alert on User Additions to Privileged Admin Groups

Configure privilege escalations alert to get notified instantly whenever a user is added to a privileged admin group and protect the Active Directory environment from compromise.

Get a Comprehensive View of All Active Directory Administrators

Utilize the admins dashboard to get instant visibility into privileged admins, recently added admins, and more for efficient management of your Active Directory.

Overall, AdminDroid helps you secure and manage all your users in administrative groups with ease. Beyond this, it delivers actionable insights across Active Directory objects and enables direct management actions such as adding members to groups, updating user properties, and more, to help you keep privileged access under control.

Explore a full range of reporting options

Important tips

Enable the ‘Account is sensitive and cannot be delegated’ option on privileged admin accounts to prevent them from being used for Kerberos delegation.

Avoid syncing AD admin accounts with Entra ID to reduce credential exposure to the cloud and better protect your hybrid identity environment.

Use time-based group memberships to grant users temporary access to privileged groups and automatically revoke privileges when the access period ends.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while retrieving privileged admins in Active Directory.

Error The query filter “<Query>” is not a valid query string.

This error occurs when an invalid LDAP filter query is used while attempting to retrieve all members of the privileged administrative groups in ADUC.

Fix Verify that the query filter is correctly formatted, the domain components are specified properly, and the query contains no typographical errors. Below is an example of a correctly formatted query for the domain ‘ruby.contoso.com’ to retrieve all Active Directory administrative users.
(&(objectCategory=person)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Administrators,CN=Builtin,DC=ruby,DC=contoso,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users, DC=ruby,DC=contoso,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=Enterprise Admins,CN=Users, DC=ruby,DC=contoso,DC=com)(memberOf:1.2.840.113556.1.4.1941:=CN=Schema Admins,CN=Users, DC=ruby,DC=contoso,DC=com)))

Error Import-Module: The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory.

This error happens when you try to import the Active Directory module without installing it on your domain-joined computer.

Fix Before importing Active Directory module, install the module on your domain-joined computer using the cmdlet below. 
#For Windows Server 
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature 

#For Windows Client OS (Windows 10/11) 
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Error The Event Log query specified is invalid.

This error occurs when <AdminName> placeholder is not replaced with the target privileged admin name, or when there are syntax errors in the query.

Fix Ensure that the <AdminName> placeholder is replaced with the target username and check the query for any missing quotes, brackets, or other syntax mistakes.
<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security"> 
      *[System[(EventID=4624 or EventID=4625)]] and 
      *[EventData[Data[@Name='TargetUserName']='Alex']] 
    </Select> 
  </Query> 
</QueryList>

Error Add-ADGroupMember : The parameter is incorrect.

This error occurs when attempting to assign temporary group membership to a user without enabling the Privileged Access Management (PAM) feature in the forest.

Fix Enable the PAM feature by replacing <ForestName> placeholder with the target forest name in the cmdlet below.
Enable-ADOptionalFeature "Privileged Access Management Feature" -Scope ForestOrConfigurationSet –Target "<ForestName>"

Error Enable-ADOptionalFeature : The specified method is not supported.

This error occurs when you try to enable PAM in a forest with a functional level lower than Windows Server 2016.

Fix Raise the domain functional level to Windows Server 2016 by running the following cmdlet replacing <DomainName> with your domain name.
Set-ADDomainMode –Identity "<DomainName>" -DomainMode Windows2016
Then, raise the forest functional level by replacing the <ForestName> with your forest name in the cmdlet below.
Set-ADForestMode –Identity "<ForestName>" -ForestMode Windows2016

1. How to track administrative user login history in Active Directory?

When it comes to protecting highly privileged accounts in Active Directory, monitoring their login history is essential. It helps uncover early signs of admin account compromise, such as repeated failed sign-ins, unusual login times, and access from unauthorized systems. This enables you to detect suspicious activity quickly and take necessary action before it leads to directory compromise.

Before you begin, enable user logon auditing to retrieve the complete logon history of Active Directory administrators. This policy starts recording events only after it is enabled, so previous logons will not appear in the report.

Audit Active Directory admin logins using Event Viewer

  • Open Server Manager, go to Tools»Event Viewer and from the left pane, navigate to Windows Logs»Security.
  • From the Actions pane on the right, select Filter Current Log, switch to the XML tab, enable Edit query manually.
  • Confirm the prompt by selecting Yes and paste the query given below. 
get-admin-login-events-in-event-viewer
<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security"> 
      *[System[(EventID=4624 or EventID=4625)]] and 
      *[EventData[Data[@Name='TargetUserName']='<AdminName>']] 
    </Select> 
  </Query> 
</QueryList>
  • Replace <AdminName> with the target admin account whose logon events you want to analyze, and click OK to apply the filter. This will display all logon events performed by that admin account.
  • Click a logon event to view details such as the event type, status, logon type, and more.

Audit Active Directory admin logon activities using PowerShell

The above method works well for retrieving the logon history of specific admin accounts. However, in large enterprises with multiple admins, manually specifying one or more admin accounts can be time-consuming and inefficient. In such cases, you need a more reliable approach to track logon events for all users in Active Directory privileged groups. To streamline this process, you can use the PowerShell script below to retrieve the logon history of all privileged Active Directory administrators. This script collects logon events for all admin accounts and exports the results to a CSV file.

$AdminGroups = "Domain Admins","Enterprise Admins","Schema Admins","Administrators"
$GroupObj = foreach ($Group in $AdminGroups) {
    try {
        Get-ADGroup -Identity $Group -ErrorAction Stop
    }
    catch {
        continue   # silently skip groups that don't exist
    }
}
$Computers = Get-ADComputer -Filter * -Properties DNSHostName |
             Where-Object { $_.DNSHostName } |
             Select-Object -ExpandProperty DNSHostName
$Admins = $GroupObj | ForEach-Object { Get-ADGroupMember $_ -Recursive } | Where-Object { $_.ObjectClass -eq "user" } | Select-Object -Unique Name, SamAccountName, Groups  
$LogonHistory = foreach ($Computer in $Computers) {
    Get-WinEvent -ComputerName $Computer -FilterHashtable @{ 
        LogName   = "Security" 
        Id        = 4624,4625 
        StartTime = "<StartDate>" 
        EndTime   = "<EndDate>" 
    } -ErrorAction SilentlyContinue | ForEach-Object { 
        $Event = $_  
        foreach ($Admin in $Admins) {  
            if ($Event.Message -match "\b$($Admin.SamAccountName)\b") {  
                [PSCustomObject]@{  
                    Name           = $Admin.Name  
                    SamAccountName = $Admin.SamAccountName
                    Groups       = $Admin.Groups  
                    EventID        = $Event.Id  
                    TimeCreated    = $Event.TimeCreated 
                    LogonComputer = $Event.Machine 
                    EventLoggedDC = $Computer 
                    Message        = ($Event.Message -split "`r?`n")[0] 
                }
            }
        }
    }
}
$LogonHistory | Export-Csv -Path "<FilePath>.csv" -NoTypeInformation

Replace <StartDate> and <EndDate> with the desired audit search range in YYYY/MM/DD format and specify a suitable name for the <FilePath> export file.

export-active-directory-admin-login-history

You can also schedule this script using Task Scheduler to collect logon history regularly for continuous monitoring of privileged accounts.

2. How to configure the GPO restrictions for securing privileged admin accounts in Active Directory?

When administrator accounts can sign in without restrictions, it becomes difficult to differentiate legitimate activity from malicious behaviour. To reduce this risk, it is essential to control how and where admin accounts can log on. This can be achieved through Group Policy, which provides a scalable and consistent method to enforce restrictions and block unauthorized administrative access across the environment.

These GPOs should be applied to the OUs that contain the specific member servers and workstations where admin logon restrictions are required. Therefore, it is important to create a separate OU for the target member servers and workstations. Once this OU is created, you can apply the below recommended GPO-based logon restrictions to secure Active Directory administrator accounts.

gpo-logon-restrictions-differences

Configure logon restrictions for privileged admin accounts using GPO

Follow the steps below to apply logon restrictions to members of high privileged groups using Group Policy Objects.

  • Open Server Manager and navigate to Tools»Group Policy Management.
  • From the left console tree, right-click the respective OU and select Create a GPO in this domain, and Link it here.
  • In the New GPO dialog box, enter a descriptive name for the policy. Once the GPO is created, right-click it and select Edit.
  • In the Group Policy Management Editor, navigate to Computer Configuration»Policies»Windows Settings»Security Settings»Local policies»User Rights Assignment. Here, you’ll find all five policies required to set logon restrictions.
  • Right-click ‘Deny access to this computer from the network’, select Properties, select the Define these policy settings checkbox, and click Add User or Group
  • Select Browse, type “Domain Admins”, click OK and then click OK again to apply the settings to the Domain Admins group. 
  • Similarly, add the Enterprise Admins, Administrators, and Schema Admins groups to this policy, then click Apply and OK to save and enforce the policy. 
  • Select the policy you created earlier, repeat the same process for the remaining GPOs.
apply-gpo-logon-restrictions-for-ad-admins

3. How to delegate permissions to a user in Active Directory?

Imagine a helpdesk technician trying to fix a user issue but getting blocked due to insufficient permissions. While granting Domain Admin access may seem like the quickest solution, it introduces unnecessary privileges and increases security risk. This is where delegated permissions come in. Delegation enforces the principle of least-privilege and allows users to perform only the tasks they need, while keeping the environment secure. Delegated permissions allow you to assign built-in common administrative tasks to users, or create custom tasks based on specific operational requirements.

Here's how to provide delegated permissions for a user using ADUC console.

Assign delegated permission for a common task using Delegation of Control Wizard

Follow the steps below in the ADUC console to delegate a common task to a user using the Delegation Wizard.

  • Open the ADUC console, right-click the target OU and select Delegate Control. To enable delegation at a domain-level, right-click the target domain and select the option.
  • On the Delegation of Control wizard welcome page, click Next. In Select Users, Computers, or Groups page, click Add.
  • Enter the name of the user, click Check Names, select OK, and then click Next. You can also create a security group with the desired users and add the group here. 
  • On the Tasks to Delegate page, under the Delegate the following common tasks, select the task(s) you need to delegate. Once done, click Next and select Finish.
assign-common-delegated-task-to-a-user

Assign a custom task to a user in Delegation of Control Wizard

To assign a custom task to a user, follow the steps below.

  • In the Tasks to Delegate page within the Delegation of Control Wizard, select the Create a custom task to delegate and click Next.
  • In the Active Directory Object Type page, choose the scope of delegation, and click Next
    • Choose This folder, existing objects in this folder, and creation of new objects to apply permissions to all objects.
    • To limit permissions to specific objects, select Only the following objects in this folder, specify the required object types, and select the actions (create and /or delete). 
  • On the Permissions page, select the permissions needed to manage the chosen object types. Once done, click Next and select Finish.
set-custom-delegated-tasks-to-a-user

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
User Help Manuals Compliance Docs Customer Stories
x
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!