2.6 Ensure a separate organizational unit (OU) in Active Directory exists for SharePoint 2019 objects.

Information

SharePoint 2019 includes an internal service, the Microsoft SharePoint Directory
Management Service, for creating e-mail distribution groups. When you configure e-mail
integration, you have the option to enable the Directory Management Service feature,
which lets users create distribution lists. When users create a SharePoint group and they
select the option to create a distribution list, the Microsoft SharePoint Directory
Management Service creates the corresponding Active Directory distribution list in the
Active Directory environment.

Rationale:

The recommendation is to set up a separate organizational unit (OU) in Active Directory for
SharePoint 2019 objects. Only this OU should allow write access to the account that is used
by the Microsoft SharePoint Directory Management Service.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

1. Open Active Directory Users and Computers on a domain controller within the
Active Directory domain used for SharePoint.
2. Validate there is a separate OU created for use only with SharePoint 2019 objects, if
there is not a separate OU create one.
3. Modify the separate OU so that only the account used for the Microsoft SharePoint
Directory Management Servers has write access to that OU.

See Also

https://workbench.cisecurity.org/files/2395