Most people who work with Active Directory ACLs know that Deny should come before Allow, and that explicit permissions take precedence over inherited ones.
If you have ever tried to build an ACL backup tool, a delegation cloning script, or a migration utility for Active Directory using the standard .
In the previous post Part 1 I introduced a way to detect a malicious actor account in the access control list of the domain root.
When trying to identify the highly privileged accounts in an Active Directory you might start with the members of the built-in administrative groups like Domain Admin etc.
This is a repost of my previous post at: https://docs.microsoft.com/en-us/archive/blogs/pfesweplat/do-you-allow-blank-passwords-in-your-domain. My blog posts at Microsoft was temporarly deleted so just in case I re-post this one here.