Information
SharePoint 2016 includes an internal service, the Microsoft SharePoint Directory Management Service, for creating e-mail distribution groups. When you configure e-mail integration, you have the option to enable the Directory Management Service feature, which lets users create distribution lists. When users create a SharePoint group and they select the option to create a distribution list, the Microsoft SharePoint Directory Management Service creates the corresponding Active Directory distribution list in the Active Directory environment.
Rationale:
The recommendation is to set up a separate organizational unit (OU) in Active Directory for SharePoint 2016 objects. Only this OU should allow write access to the account that is used by the Microsoft SharePoint Directory Management Service.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
1. Open Active Directory Users and Computers on a domain controller within the Active Directory domain used for SharePoint.
2. Validate there is a separate OU created for use only with SharePoint 2016 objects, if there is not a separate OU create one.
3. Modify the separate OU so that only the account used for the Microsoft SharePoint Directory Management Servers has write access to that OU.