Claritiq — Tier-0 Inventory Mockup

Cq · Refreshed today

Critical Caution Healthy · target

Scope: eni.enigron.com · c1.eni.enigron.com

Tier-0 accounts

across 7 groups

Direct members

explicit DN

Nested via groups

indirect privilege

Foreign principals

cross-forest SID

AdminCount residue

SDProp leftovers

Admin w/ mailbox

Tier-0 hygiene gap

Privileged groups × membership

Group	Direct	Nested	Total recursive
Domain Admins	8	2	10
Enterprise Admins	3	1	4
Schema Admins	2	0	2
Account Operators	9	4	13
Server Operators	6	3	9
Backup Operators	5	4	9
Print Operators	3	2	5

Recursive expansion: nested-group members are surfaced as Tier-0 even though they're not explicit DNs in the privileged group. SDProp re-applies the protected ACL to all of them every 60 minutes.

Tier-0 risk breakdown

Risk dimension	Accounts	Severity	Distribution
Foreign Security Principal	2	Caution	cross-forest
AdminCount=1, not in any group	8	Caution	SDProp residue
Admin with active mailbox	12	Caution	Tier-0 hygiene
Admin not in Protected Users	31	Caution	TGT harvestable

Quick views

Tier-0 roster — recursive membership Showing 8 of 47 · Sorted by Group, User

User	UPN	SAM	Group	Path	Enabled	AdminCount	In Protected Users	Mailbox
admin-jkent	admin-jkent@contoso.com	admin-jkent	Domain Admins	Direct	Yes	Yes	Yes	No
admin-rkumar	admin-rkumar@contoso.com	admin-rkumar	Enterprise Admins	Direct	Yes	Yes	Yes	No
Sarah Williams	sarah.williams@contoso.com	swilliams	Account Operators	Direct	Yes	Yes	No	Yes
tier0-svc-backup	tier0-svc-backup@contoso.com	svc-backup	Backup Operators	via GG-BackupTeam	Yes	Yes	No	No
Foreign-S-1-5-21-...	—	—	Domain Admins	Foreign SP	Yes	Yes	No	No
admin-legacy-disabled	admin-legacy@contoso.com	admin-legacy	Domain Admins	Direct (disabled)	No	Yes	No	No
admin-tchen-new	admin-tchen-new@contoso.com	admin-tchen	Domain Admins	Direct (new)	Yes	Yes	Yes	No
ex-svc-archived	ex-svc@contoso.com	ex-svc	—	AdminCount=1 residue	No	Yes	No	No