STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Active Directory Domain Security Technical Implementation Guide

V-243487

CAT II (Medium)

Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups must be limited.

Rule ID

SV-243487r959010_rule

STIG

Active Directory Domain Security Technical Implementation Guide

Version

V3R7

CCIs

CCI-000366

Discussion

Membership in the Group Policy Creator Owners and Incoming Forest Trust Builders groups assigns a high privilege level for AD functions. Unnecessary membership increases the risk from compromise or unintended updates. Members of these groups must specifically require those privileges and be documented.

Check Content

Start "Active Directory Users and Computers" (Available from various menus or run "dsa.msc").

Review the membership of the "Incoming Forest Trust Builders" group.

Navigate to the "Built-in" container.

Right-click on the "Incoming Forest Trust Builders", select "Properties" and then the "Members" tab.

If any accounts are not documented as necessary with the ISSO, this is a finding.

Review the membership of the "Group Policy Creator Owner" group.

Navigate to the "Users" container.

Right-click on the "Group Policy Creator Owner", select "Properties" and then the "Members" tab.

If any accounts are not documented as necessary with the ISSO, this is a finding.

It is possible to move some system-defined groups from their default locations.  If a group is not in the location noted, review other containers to locate.

Fix Text

Document membership of the Group Policy Creator Owners and Incoming Forest Trust Builders groups.  Remove any accounts that do not require the privileges these groups assign.