Member Of


The Source security principal is a member of the Target group. Therefore, it benefits from all the access rights that the group holds, such as accessing file shares, assuming roles in business applications, etc.


Attackers do not have to do anything to exploit this attack relation. They only need to authenticate as the Source security principal to get the Target group in their local or remote security token, or Kerberos ticket.


If the Source security principal is an illegitimate member of the Target group, then you must remove it.

You can use any standard Active Directory administration tool such as "Active Directory Users and Computers" or PowerShell such as Remove-ADGroupMember.

See also