Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-243487 | SRG-OS-000480 | AD.0240 | SV-243487r959010_rule | 2024-09-13 | 3 |
| Description |
|---|
| Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD functions. Unnecessary membership increases the risk from compromise or unintended updates. Members of these groups must specifically require those privileges and be documented. |
| ℹ️ Check |
|---|
| Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc"). Review the membership of the "Incoming Forest Trust Builders" group. Navigate to the "Built-in" container. Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab. If any accounts are not documented as necessary with the ISSO, this is a finding. Review the membership of the "Group Policy Creator Owner" group. Navigate to the "Users" container. Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab. If any accounts are not documented as necessary with the ISSO, this is a finding. It is possible to move some system-defined groups from their default locations. If a group is not in the location noted, review other containers to locate. |
| ✔️ Fix |
|---|
| Document membership of the Group Policy Creator Owners and Incoming Forest Trust Builders groups. Remove any accounts that do not require the privileges these groups assign. |