🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Retrieve Domain Admins in Active Directory

Domain Admins hold the keys to your entire Active Directory domain. If even one account in the Domain Admins group is compromised, attackers can seize control of domain controllers, create hidden backdoors, and move freely across your network. Therefore, regularly reviewing this group’s membership is crucial and one of the simplest yet most powerful ways to strengthen your security. In this guide, you’ll learn how to quickly identify Domain Admins and ensure that only trusted administrators have the highest level of access.

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Discover Domain Admins in Active Directory Using Saved Queries

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Open the Active Directory Users and Computers (ADUC) console, then in the left pane, right-click on Saved Queries, and select New»Query.
  • Provide a suitable name and description for the query, ensure that the Include subcontainers checkbox is enabled, and click on Define Query.
  • In the 'Find' drop-down, choose Custom Search and navigate to the Advanced tab. Then, enter the following LDAP filter query and replace <DomainName> with your domain name. For example, if your domain name is redmonk.greystone.com, specify it as DC=redmonk,DC=greystone,DC=com.
  • Windows PowerShell Windows PowerShell 
     (&(objectCategory=Person)(memberOf=CN=Domain Admins,CN=Users,DC=<DomainName>,DC=com))
  • Click OK to define the query, then click OK again to save and close the configuration window. This saved query lists all Domain Admins in your Active Directory whenever you select it.
Discover Domain Admins in Active Directory Using Saved Queries
  • Note: You can also view Domain Admins group members by checking the group’s Properties»Members tab. However, using the saved query method provides an enhanced view with additional columns and an option to export the results.

List All Domain Admins in Active Directory Using PowerShell

Active Directory Permission Required
Domain Users Least Privilege
Administrators Most Privilege
  • Import the Active Directory module using the following cmdlet.
  • Windows PowerShell Windows PowerShell 
     Import-Module ActiveDirectory
  • Then, run the cmdlet below to fetch all Domain Admins in Active Directory.
  • Windows PowerShell Windows PowerShell 
     Get-ADGroupMember -Identity "Domain Admins" | Select Name, SamAccountName, ObjectClass, ObjectGUID, DistinguishedName | Format-Table -AutoSize
  • This cmdlet retrieves all Domain Admins of the domain connected to the current session with their name, SAM account name, object class, object GUID, and distinguished name.
List All Domain Admins in Active Directory Using PowerShell
AdminDroid Active Directory Reporter

Efficiently Manage Domain Admins in Active Directory with Instant Insights

AdminDroid’s Active Directory reporting tool offers comprehensive visibility into the members of the Domain Admins group, enhanced with AI-powered analytics and intuitive filters. Its detailed reports show every privileged account, so you can monitor, manage, and secure administrative access with confidence.

Verify Inactive Admin Accounts for Secure Access Management

Identify inactive admin accounts to minimize the attack surface by removing unused or stale privileged accounts.

Assess Privileged Admin Accounts to Reduce Security Risks

Review privileged admins such as Enterprise Admins, Schema Admins, and others to ensure only authorized users retain elevated access and to remove unnecessary permissions to maintain least privilege.

Get Complete Overview of Active Directory Admins

Access the Active Directory admins dashboard for a comprehensive overview of recently added admins, password status, and more.

Detect Admins with Outdated Passwords to Prevent Account Misuse

Find admins with old passwords to protect them from password spray, credential stuffing, or account takeover attempts.

Monitor Enterprise Admins to Fortify Active Directory Security

Track Enterprise Admins to ensure that sensitive operations such as forest-wide replication, trust relationships, configuration changes, and more are performed only by authorized users.

Audit Admin-Initiated Password Resets to Ensure Accountability

Monitor password reset by admin events to identify unauthorized resets, prevent privilege misuse, and maintain transparency.

Overall, AdminDroid’s Active Directory management tool offers a complete solution for efficiently managing administrative accounts. Along with securing admin accounts, it provides comprehensive management capabilities to monitor, analyze, and streamline Active Directory operations.

Explore a full range of reporting options
Download Live Demo

Important tips

Avoid syncing AD admins to the cloud to maintain a clear security boundary between your on-premises and Entra ID environments.

Use Privileged Access Management (PAM) to grant users temporary admin rights only when needed to keep accounts secure and prevent unnecessary access.

Apply account lockout policies to protect admin users from brute-force attacks and ensure only authorized logins succeed.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints when retrieving Domain Admins in Active Directory.

Error Get-ADGroupMember : Cannot find an object with identity: ‘<GroupName>’ under: 'DC=contoso,DC=com'.

This error occurs when you run the Get-ADGroupMember cmdlet and the specified group name is typed incorrectly or does not exist in Active Directory.

Fix Use the following cmdlet to check whether the group exists in the Active Directory environment. 
Get-ADGroup -Filter "Name -like '*<GroupName>*'" | Select-Object Name, DistinguishedName

Error Get-ADGroupmember : The server has rejected the client credentials.

This error occurs when you run the cmdlet using an account with invalid credentials or when the credentials you used are expired.

Fix Make sure you are running the cmdlet with the correct credentials that are valid and not expired.

Error Remove-ADGroupMember : Insufficient access rights to perform the operation

This error occurs when your account doesn’t have enough privileges to remove a user from the Domain Admins group.

Fix Make sure you have at least Domain Admin privileges before running the cmdlet to remove a member from the Domain Admins group.
Active Directory
Frequently Asked Questions

Ensure AD Security by Monitoring and Managing Domain Admins Wisely

How to add a user to the Domain Admins group in Active Directory?
How to detect who added a user to the Domain Admins group in AD?
How to remove a user from the Domain Admins group in Active Directory?
What are the different types of administrators in Active Directory?

1. How to add a user to the Domain Admins group in Active Directory?

A user added to the Domain Admins group can manage domain-wide settings, user accounts and security policies. This group gives elevated privileges to control the domain environment, access important resources, and manage system configurations. Because of the extensive control these privileges provide, it is essential to limit membership to trusted and authorized administrators.

To add a user to the Domain Admins group in Active Directory, use any of the methods below.

Add user to Domain Admins group using ADUC

  • Open Active Directory Users and Computers, navigate to the Users OU in the left pane.
  • Right-click on the desired user, select Properties, and navigate to the Member Of tab.
  • Click Add, enter ‘Domain Admins’ in the “Enter the object name to select” field, and click OK to add the user to the group.
  • Then, click OK to save the configurations and assign domain admin rights to the user.
identify-domain-admins-via-aduc

Assign a user to Domain Admins group using PowerShell

Run the following cmdlet to add a user to the Domain Admins group in Active Directory. Make sure to replace <SAMAccountName> with the user’s SAM account name before execution.

Add-ADGroupMember -Identity "Domain Admins" -Members "<SAMAccountName>"

Instantly assign users to AD groups and manage permissions with ease!

  • With AdminDroid, you can directly assign users to Domain Admin groups with Add Member to Group management action.
  • In the flyout pane, select the Domain Admins group from the Group List drop-down and choose the required users from the Member List.
  • Then, click Execute to apply the changes.
add-user-to-groups-using-admindroid

2. How to detect who added a user to the Domain Admins group in AD?

An unauthorized addition to the Domain Admins group can expose your environment to serious security risks and misuse of privileged access. Monitoring who adds users to this group ensures accountability and protects critical resources.

Track changes to domain admin groups via security logs

  • Open Server Manager, click on Tools, and select Event Viewer.
  • Right click on Security under Event Viewer(Local)»Windows Logs, and select Filter Current Log in the Actions pane.
  • Switch to the XML tab in the dialog box, select the Edit query manually checkbox, click Yes on the prompt, and enter the following XML query.
  • <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4728)]] 
      and 
      *[EventData[Data[@Name='TargetUserName']='Domain Admins']]
    </Select>
  </Query>
</QueryList>
  • Click OK to view the list of events. Then select an event and check the General tab to see who added the user to the Domain Admins group and when it happened.

Note: After selecting Yes in the Event Viewer prompt, you cannot switch back to the Filter tab unless you disable the Edit query manually option.

find-user-via-event-viewer

Effortlessly track who added users to the Domain Admins group with AdminDroid!

  • With the member added to group events report, you can easily identify all users who were added to the Domain Admins group using the Group Name easy filter.
  • In this report, check the Added By column to see who added each user to the Domain Admins group.
  • In addition, the report shows details such as the target domain, group type, and more to track group membership changes.
find-group-membership-changes-via-admindroid

3. How to remove a user from the Domain Admins group in Active Directory?

Some users and project-based administrators are often granted Domain Admin rights temporarily for tasks such as server migrations or troubleshooting. Once their work is complete, they must be removed from the Domain Admins group to maintain least privilege and keep the environment secure.

Remove user from Domain Admins group using ADUC

  • Open Active Directory Users and Computers (ADUC) and locate the Domain Admins group under Users OU.
  • Right-click the Domain Admins group and select Properties.
  • Then, navigate to the Members tab and select the user you want to remove.
  • Click Remove, then confirm the action by selecting Yes.
remove-user-from-group

Remove multiple users from Domain Admins using PowerShell

  • Open PowerShell as an administrator on the Domain Controller.
  • Run the following cmdlet to remove bulk users from the Domain Admins group. Replace <SAMAccountName> with the actual SAM account names of the users, provided as comma-separated values. 
     $users = @("<SAMAccountName1>", "<SAMAccountName2>") 
foreach ($user in $users) { 
       Remove-ADGroupMember -Identity "Domain Admins" -Members $user -Confirm:$false 
}

4. What are the different types of administrators in Active Directory?

Active Directory offers several administrative levels beyond Domain Admins that you should be familiar with. Understanding how these roles differ from Domain Admins allows you to manage permissions more effectively by assigning the right level of control to the right users. This structured approach enhances security by reducing unnecessary access and makes it easier to delegate responsibilities across teams.

Below are the key types of administrators in Active Directory, along with their levels of access, administrative rights, and primary functions.

types-of-administrators-in-ad

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Retrieve Domain Admins in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo