ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to find out where a domain security group has permissions in our Active Directory?


Member

Posts: 16
Date: May 25, 2011
How to find out where a domain security group has permissions in our Active Directory?
Permalink  
 


Hi all. One last question I had for now for this forum. As mentioned, we are in the midst of consolidating two forests into one Active Directory forest, and as a part of this we are also trying to audit our Active Directory, and this includes an audit of all the security permissions in our Active Directory domains.

As a part of our audit, we need a way to find out where all our admin groups, particularly Domain Admins, Enterprise Admins and two of our delegated account management groups have permissions in our Active Directory.

We have tried scripting and PowerShell etc, but the results are not exactly what we are looking for. For example, we wish to know where all these groups have specific permissions, such as where all our delegated IT account management team has Reset Password permissions.

I am sure others on this forum must have come across such a requirement as well, and I would appreciate any tips or advice you can provide on how to best do this.

Thanks guys.



__________________
Driod Rules!


Member

Posts: 16
Date: Jun 22, 2012
RE: How to find out where a domain security group has permissions in our Active Directory?
Permalink  
 


Jeremy,  

Have you considered writing scripts or using Powershell? Agreed, these may not be the most efficient or reliable way to go, but they're certainly A way.

Just my 2c.

Aaron.



__________________


Member

Posts: 6
Date: Jun 29, 2012
RE: How to find out where a domain security group has permissions in our Active Directory?
Permalink  
 


Jeremy,

So, you have tried PowerShell, but have tried the PowerShell Commands for Active Directory from Quest Sofware? They're free, and I think should be able to help you find out where a domain security group has permissions in your Active Directory.

Vladmir.



__________________

Да здравствует Россия!  Министерство обороны Российской Федерации



Member

Posts: 16
Date: Jan 17, 2013
RE: How to find out where a domain security group has permissions in our Active Directory?
Permalink  
 


Hi Aaron,

As I indicated, the assessments we were trying to make could not be done with PowerShell or scripting. Besides, it turned out what what we needed to do was not analyze who has what permissions in Active Directory, but in fact analyze effective permissions in Active Directory i.e. who has what effective access in our Active Directory.

We've since found a way (here) to find out what rights our admins effectively have on our sensitive objects e.g. all domain admin accounts, all C*O accounts, our core OUs, etc.

Thanks for your help guys.

-Jeremy

PS: Vladmir, thanks for the suggestion. We looked at Quest's solutions but none of their solutions could help us determine effective permisions on our Active Directory objects. They seem to be able to do the easy stuff rather well, but not the advanced stuff we needed to solve our problem.



__________________
Driod Rules!


Newbie

Posts: 4
Date: Apr 11, 2013
How to find out where a domain security group has permissions in our Active Directory?
Permalink  
 


Jeremy,

We were in a similar situation recently, although we had a different need to fulfill.

We needed the ability to find out where all a specific user or group had very specific security permissions granted. For e.g. we needed to identify all user objects in whose DACLs Jane Doe has Explicit Allow Reset Password permissions granted.

We've looked around and evaluated quite a few tools (here's my review) and found this tool to be most useful to fulfill our need. Incidentally, it also has an Effective Permissions tool built-in, in case that's what you were looking for.

From what I remember of our trial of it, I' almost confident that it also had the ability to find out where a security group has permissions in AD, so I think it should be able to fulfill your need.

Thanks,

Tom.



-- Edited by TomL on Thursday 11th of April 2013 06:00:12 PM

__________________

When everything's coming your way, you're in the wrong lane.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me