Local admin rights assigned via GPO are drawn from the member to the GPO object.
|
switch sidpair.GroupSID { |
|
case "S-1-5-32-544": |
|
member.EdgeTo(gpoobject, activedirectory.EdgeLocalAdminRights) |
|
case "S-1-5-32-562": |
|
member.EdgeTo(gpoobject, activedirectory.EdgeLocalDCOMRights) |
|
case "S-1-5-32-555": |
|
member.EdgeTo(gpoobject, activedirectory.EdgeLocalRDPRights) |
|
case "": |
|
ui.Warn().Msgf("GPO indicating group membership, but no group SID found for %s", sidpair.GroupName) |
|
} |
I think this is a bit misleading. Instead, these edges should be drawn from the member to the devices to which the GPO applies. Or at least the label should be worded to make it clear that the member does not gain admin rights over the GPO.
Local admin rights assigned via GPO are drawn from the member to the GPO object.
Adalanche/modules/integrations/activedirectory/analyze/gpoimport.go
Lines 222 to 231 in 03f510d
I think this is a bit misleading. Instead, these edges should be drawn from the member to the devices to which the GPO applies. Or at least the label should be worded to make it clear that the member does not gain admin rights over the GPO.