Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.
An XCCDF Rule
Description
Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD functions. Unnecessary membership increases the risk from compromise or unintended updates. Members of these groups must specifically require those privileges and be documented.
- ID
- SV-243487r959010_rule
- Version
- AD.0240
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Document membership of the Group Policy Creator Owners and Incoming Forest Trust Builders groups. Remove any accounts that do not require the privileges these groups assign.