What is a one sentence summary of your feature request?
Uncover hidden objects in Active Directory
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Objects can be hidden in Active Directory a few ways. PingCastle already detects “hidden” memberships via the Primary Group ID checks but does not detect the following methods:
ShowInAdvancedViewOnly
Whilst not a true hidden object “ShowInAdvancedViewOnly” hides the account from Active Directory management tools unless the administrator has advanced view enabled.
Check for users, computers and groups with ShowInAdvancedViewOnly set to True.
ACLs
The more robust way to hide an object is to deny access to it. This can be done on objects and OUs. These can be uncovered by checking for Deny ACLs for well-known principals such as Domain Users, Everyone, Authenticated Users etc.
Check the following Object Types:
- Organizational Units
- Users
- Computers
- AdminSDHolder
There is a potential other way to check this which would be to get all objects from Active Directory and filter to only show object any ObjectClass.
Get-ADObject -Filter "*" -Property ObjectClass,DistinguishedName | Where-Object { -Not $_.ObjectClass }
How do you currently solve the challenges you have by not having this feature?
Use PowerShell or other tooling.