ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to find out who is delegated what access in our Active Directory?


Member

Posts: 9
Date: Jun 22, 2011
How to find out who is delegated what access in our Active Directory?
Permalink  
 


Hi,

I have been tasked with finding out and documenting who is delegated what access in our Active Directory and I would like some help with this as I've hit a wall trying to do this.

We have an Active Directory of about 5000 users, and we're spread across a few cities. While I just joined the group, over the last few years, quite a few folks have been delegated access on different OUs, primarily to be able to provide local IT support, and some for basic helpdesk stuff (password reset assitance etc.)

The thing is that with 5000 users, and about as many computers and groups, this is just such a difficult problem for us to solve. I mean first I thought it was simply a matter of finding out who has what permissions in Active Directory, but it turns out that that is just scratching the surface of the problem, because there are SO MANY permissions and they all seem to somehow work together on each individual object.

I mean I read somewhere that I'm supposed to evaluate resultant-set-of-permissions just like resultant-set-of-policies, but I have no idea how to do so. I tried the Effective Permissions Tab but that seems to be hopelessly useless as well.

There must surely be some way to do this in an easier fashion that I'm just completely missing out on. I've order a book on the subject, but I mean this could take me months to do, and we neither have the resources nor the time to do so.

I am sure that others on this forum would have  surely encountered this or a similar challenge, so I would be very interested to hear how you took care of this requirement.  This is quite important for us, so all pointers are welcome.

Thank you, and hoping to get some help.



__________________

Go Aussie!



Member

Posts: 16
Date: Jun 24, 2012
RE: How to find out who is delegated what access in our Active Directory?
Permalink  
 


Hello Matthew,

We too would like to know how to display delegated access for a user in Active Directory. If you've found a solution, could you please share? 

Thank you.

Chad.



__________________


Member

Posts: 9
Date: Jul 20, 2012
RE: How to find out who is delegated what access in our Active Directory?
Permalink  
 


Hi Chad,

Yeah, after looking around for quite some time, earlier this year, we finally found a tool to help us determine who is delegated what access in our Active Directory.

Initially we were asked to do so by our IdM team. Then we unfortunately became victims of an Active Directory Denial of Service (Dos) Attack related to event log flooding, and as a result, one of the risk mitigation measures involved determing who could perform what tasks in our Active Directory.

We looked around quite a bit, evaluated many solutions and spoke to a few consulting companies but didn't really find any easy, reliable and efficient way to solve this problem.

Then, one day, one of my contacts in the federal government mentioned that they were using an American tool to solve the problem. We checked it out, and were quite pleasantly surprised to see it in action. We evaluated it for about a month, and then ended up licensing it.

The tool is called Gold Finger for Active Directory, and its what we're using to find out who is delegated what access in our Active Directory.

Its almost a full-fledged Active Directory security analysis tool, and we've been quite happy with it, and its helped us get a real grip on both who has what permissions, and, who is delegated what tasks in our AD.

In case it helps, I believe its over at - www.paramountdefenses.com/goldfinger

Good luck.



__________________

Go Aussie!

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me