Following are the criteria that the Security Guardian Tier Zero provider uses to identify Tier Zero objects in Active Directory.
|
|
NOTE: For the criteria that BloodHound Enterprise uses, refer to the BloodHound support article Tier Zero: Members and Modification. |
-
Domains: The Domain object is identified as Tier Zero because it is a domain partition in the Active Directory forest which supports replication and administrative functions.
-
Groups: May be identified as Tier Zero if they are a Default AD Security Group which has access to Tier Zero objects in the domain, or if they are a member of another Tier Zero group (either directly or indirectly).
The default AD Security Groups considered Tier Zero are:
√ Account Operators
√ Administrators
√ Backup Operators
√ Cert Publishers
√ Cloneable Domain Controllers
√ Cryptographic Operators
√ Distributed COM Users
√ DnsUpdateProxy
√ DnsAdmins
√ Domain Admins
√ Domain Controllers
√ Enterprise Key Admin
√ Enterprise Admins
√ Enterprise Read-Only Domain Controllers
√ Group Policy Creators Owners
√ Hyper-V Administrators
√ Incoming Forest Trust Builders
√ Key Admins
√ Network Configuration Operators
√ Performance Log Users
√ Print Operators
√ Read-Only Domain Controllers
√ Remote Management Users
√ Schema Admins
√ Server Operators
√ Storage Replica Administrators
-
Users: May be identified as Tier Zero if they are a member of a Tier Zero group (either directly or indirectly).
-
Computers: May be identified as Tier Zero if they are a Domain Controller, Read-Only Domain Controller, or are a member of a Tier Zero group (either directly or indirectly).
-
Group Policies: May be identified as Tier Zero if they are linked to
-
the Domain
-
an AD site or an organizational unit (OU) that contains a Domain Controller, a Read-Only Domain Controller, or other Tier Zero user or computer.
-
It is recommended that some additional objects, which may not be identified by the Tier Zero provider, be added manually.