With the Symantec Threat Defense for Active Directory (TDAD) policy applied, a very large increase in the number of accounts with admin access is seen when running this command:
([adsisearcher]"(&(objectClass=person)(objectClass=User)(admincount=1))").FindAll()
The number of admin accounts being returned from applying the mask is much larger than the default 6X obfuscation factor value.
The admincount value was incorrectly set to 1 for all fake users.
On-premises:
This issue is fixed in Symantec Endpoint Protection (SEP) 14.3.5.0 (RU5)
For information on how to obtain the latest build of SEP, see Download Symantec software, tools, and patches.
Cloud:
This issue is fixed in Symantec Endpoint Security (SES) 14.3.5.0 (RU5).
For information on how to upgrade the SES agent, see Upgrading Windows client software automatically.