AD Starter Scan - Primary Group ID integrity

Groups are the standard way of providing access to resources in an environment. Therefore group membership should be treated with utmost care. A less known Active Directory feature can be used for the same purpose: Primary Group ID. This is a mechanism that was created to support legacy UNIX applications, where group membership is not stored in the same way as in Windows. When checking the access rights to a resource, being a member of a group or having a Primary Group ID set for this group is exactly the same from an Active Directory perspective. Not all third party tools and software consider this use-case.

Using the Primary Group ID mechanism is considered a bad practice and a security risk.

Note: The AD Starter Scan and associated plugins are intended to be used with smaller AD deployments for purposes of preliminary analysis. Accurate preliminary analysis can be expected for AD deployments with up to 5000 users, groups or machines and incomplete results will be returned for larger AD deployments with Nessus, Security Center and Vulnerability Management. For more information on the issues discovered by the Active Directory Starter Scan plugins, please refer to this blog post - https://www.tenable.com/blog/new-in-nessus-find-and-fix-these-10-active-directory-misconfigurations