1. Introduction
AD Starter Scan has identified a potential backdoor using the Primary Group ID attribute on user accounts. This is a less common method for managing access rights in Active Directory, and its use can create hidden security risks. A compromised account with an improperly configured Primary Group ID could allow unauthorized access to resources. This vulnerability impacts confidentiality, integrity, and availability if exploited successfully.
2. Technical Explanation
Groups are the standard way of providing access in Active Directory. The Primary Group ID is a legacy feature used for compatibility with older UNIX applications where group membership isn’t handled the same way. When checking resource access, being a member of a group and having a Primary Group ID set to that group are treated identically by Active Directory. Many third-party tools don’t fully account for this mechanism. Using the Primary Group ID is considered a security risk because it can bypass standard access controls.
- Root cause: Incorrect configuration of user accounts with non-default Primary Group IDs.
- Exploit mechanism: An attacker could gain unauthorized access to resources by exploiting tools that don’t properly validate group membership and rely solely on the Primary Group ID.
- Scope: Active Directory environments, particularly those using third-party applications or tools that may not fully support standard group management practices.
3. Detection and Assessment
You can confirm if systems are vulnerable by checking user account properties for non-default Primary Group IDs. A thorough method involves scanning all user accounts in the domain.
- Quick checks: Use Active Directory Users and Computers to view the ‘Attribute Editor’ tab of a user account and check the ‘primaryGroupID’ attribute.
- Scanning: Nessus plugin ID 16380 can identify users with non-default Primary Group IDs. This is an example only, results may vary depending on AD size.
- Logs and evidence: There are no specific logs for this issue; detection relies on identifying misconfigured accounts.
Get-ADUser -Filter * -Properties primaryGroupID | Where-Object {$_.primaryGroupID -ne 513} | Select-Object SamAccountName, primaryGroupID4. Solution / Remediation Steps
Reset the Primary Group ID value of all accounts in the domain to their default values to remove the hidden backdoor mechanism. This process should be performed carefully and systematically.
4.1 Preparation
- No services need to be stopped for this change, but it’s best practice to perform during off-peak hours.
- Roll back plan: Restore the Active Directory from backup if any issues occur.
- Change window approval may be required depending on your organization’s policies.
4.2 Implementation
- Step 1: Set the Primary Group ID for every user account to 513, regardless of account type (normal, privileged, service). Use PowerShell.
- Step 2: Set the Guest account’s Primary Group ID to 514.
- Step 3: Set the Primary Group ID for every computer account to 515, except domain controllers.
- Step 4: For standard read-write domain controllers, set the Primary Group ID to 516.
- Step 5: For read-only domain controllers, set the Primary Group ID to 521.
- Step 6: For enterprise read-only domain controllers, set the Primary Group ID to 498.
4.3 Config or Code Example
Before
Get-ADUser -Identity "testuser" -Properties primaryGroupID | Select-Object SamAccountName, primaryGroupIDAfter
Set-ADUser -Identity "testuser" -PrimaryGroupID 5134.4 Security Practices Relevant to This Vulnerability
Practices that directly address this vulnerability type include least privilege and secure defaults. Least privilege reduces the impact if an account is compromised, while secure defaults prevent misconfigurations.
- Practice 1: Implement the principle of least privilege by granting users only the necessary permissions to perform their tasks.
- Practice 2: Enforce secure defaults for all Active Directory accounts and objects, including setting appropriate Primary Group IDs.
4.5 Automation (Optional)
A PowerShell script can automate this process at scale. Be careful when running scripts against production environments.
# Script to reset PrimaryGroupID for all users except Guest account
Get-ADUser -Filter * -Properties primaryGroupID | Where-Object {$_.SamAccountName -ne "Guest"} | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PrimaryGroupID 513}
5. Verification / Validation
Confirm the fix by rechecking user account properties for default Primary Group IDs and performing a smoke test to ensure normal functionality.
- Post-fix check: Run `Get-ADUser -Filter * -Properties primaryGroupID | Where-Object {$_.primaryGroupID -ne 513}`. The output should be empty or only include the Guest account.
- Re-test: Re-run the Nessus scan (plugin ID 16380) to confirm no vulnerabilities are reported.
- Smoke test: Verify users can log in and access their required resources.
- Monitoring: Monitor Active Directory event logs for any unexpected changes to user account properties, specifically Primary Group ID modifications. This is an example only.
Get-ADUser -Filter * -Properties primaryGroupID | Where-Object {$_.primaryGroupID -ne 513}6. Preventive Measures and Monitoring
Update security baselines to include the correct Primary Group ID settings for all account types. Add checks in CI/CD pipelines to prevent misconfigurations during deployment, for example using a GPO or Intune setting.
- Baselines: Update your Active Directory security baseline to enforce default Primary Group IDs.
- Pipelines: Include configuration validation steps in your CI/CD pipeline to ensure new accounts are created with the correct settings.
- Asset and patch process: Review account configurations regularly as part of a scheduled audit cycle.
7. Risks, Side Effects, and Roll Back
Changing Primary Group IDs could potentially disrupt applications that rely on this legacy feature. Restore from backup if any issues occur.
- Risk or side effect 2: Incorrectly configured accounts could lead to access issues. Carefully review and validate changes.
- Roll back: Restore Active Directory from backup if any critical services are disrupted.
8. References and Resources
- Vendor advisory or bulletin: https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations
- NVD or CVE entry: Not applicable for this specific issue.
- Product or platform documentation relevant to the fix: Updated on December 27, 2025