Active Directory: Should a computer object have admincount=1?

Larsen

8/31/24, 2:55 PM

I have run Purple Knight to see if there are things in our Active Directory (two DCs running Windows Server 2019) that should be changed. One of those elements is "Privileged users with SPN defined"

This indicator looks for accounts with the adminCount attribute set to 1 AND ServicePrincipalNames (SPNs) defined on the account. In general, privileged accounts should not have SPNs defined on them, as it makes them targets for Kerberos-based attacks that can elevate privileges to those accounts.

However, the accounts found are not regular users but computers. One is our primary DC (used to also run Exchange before), the other is our Exchange 2019 server.

I could not find any information that computer accounts should have adminCount set, but before boldly changing the value from 1 to 0, and then going to vacation for two weeks, I thought I'd ask how many think this would be a good idea ;-)

0 + 2

windows

active-directory

Greg Askew

8/31/24, 3:27 PM

Should it? No. It means that at some point, it was added as a member of a protected group. The process that tags user accounts admincount will also tag computer accounts because computers are a type of user.

joeqwerty

8/31/24, 6:15 PM

Hmmm... I've never looked at it before, but my Exchange server also has AdminCount set to 1. I did find an MS article describing hybrid migration issues caused by AdminCount being set to 1, but no reason why it would be set to 1 other than by being a member of a protected group. I can confirm that my DC has never had Exchange installed and does not have AdminCount set (<not set>). - https://learn.microsoft.com/th-TH/exchange/troubleshoot/move-mailboxes/access-is-denied-error-when-moving-mailboxes

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Active Directory: Should a computer object have admincount=1?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.