Primary group ID change for Domainc Controllers - false posetive

[Relkci]

I have a case where Domain Controller computer accounts are getting flagged as having a changed primary group id.

It appears that Domain Controllers that have the default primary group ID 516 are reporting having a changed primary group ID if their parent does not contain "OU=Domain Controllers". It is possible that Domain Controllers would not be in a OU named Domain Controllers.

Steps to re-create: Domain controller object in nested OU where DN does not contain "OU=Domain Controllers"

Expected Behavior Domain Controller with primary group id 516 in any OU is not reported as having a changed/non-default primary group id.

Actual Behavior: Domain controllers are marked as "Objects having the primary group attribute changed"

Possible correction: An enabled DC should have UAC 532480, or specifically the 8192 bitflag (SERVER_TRUST_ACCOUNT) 532480 == TRUSTED_FOR_DELEGATION + SERVER_TRUST_ACCOUNT

Related Healthcheck.cs: https://github.com/vletoux/pingcastle/blob/51412bf7ad13c861d78b95707f762403364af3a8/Healthcheck/Healthcheck.cs#L418

[vletoux]

yes, but because GPO applies to OU, this is the case for the special OU "Domain Controllers". (the "Default Domain Controllers" GPO is hardcoded into MS-ADTS - GUID: {6AC1786C-016F-11D2-945F-00C04FB984F9}) We do not recommend to have DC outside of this OU