ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to audit security rights in Active Directory?


Member

Posts: 16
Date: Jun 4, 2012
How to audit security rights in Active Directory?
Permalink  
 


Hello,

I would like to know how to audit security rights in Active Directory?

We have a 2-domain single forest environment, and wish to audit security rights in our primary domain. We need to know who has what rights on which objects in our Active Directory? 

There does not appear to be any way to do this in Active Directory using the inbuilt Active Directory tools. We also do not have the expertise or budget to write, test and maintain any in-house scripts to do so.

Can someone please suggest how to go about performing an audit of security rights in our Active Directory in an efficient manner?

- Chad



__________________


Member

Posts: 10
Date: Jun 25, 2012
RE: How to audit security rights in Active Directory?
Permalink  
 


Hi Chad,

Have you given dsacls from Microsoft a shot? I believe it can help view the ACL of an object, and I suppose that should be sufficient. Just a thought.

Andy.



__________________

Music is the soul of life! & IT Management Best-Practices 



Member

Posts: 16
Date: Jun 29, 2012
RE: How to audit security rights in Active Directory?
Permalink  
 


Hi Andy,

We did try dsacls. It is fairly simplistic, and did not deliver what we're looking for. We need to be able to analyze Active Directory ACLS, find out who has what security rights, and possibly document them by dumping them to a CSV file.

Thanks,

Chad.



__________________


Member

Posts: 5
Date: Jul 8, 2012
RE: How to audit security rights in Active Directory?
Permalink  
 


Hi Chad,

Auditing security rights in Active Directory is very important for Active Directory security because it helps you find out who has what access in your Active Directory.

Knowing who has what access in your Active Directory at all times is an essential component of anyActive Directory Security Audit, and in fact no Active Directory Security Audit should be considered complete without it.

This is particularly important because of the increasing risk of advanced threats like Security Privilege Escalation in Active Directory, which any user in the environment can carry out with the right  tools.

Fortunately we cover this in our Active Directory Security Audit Services, so if we can help, please feel free to look us up and let us know. My contact info is in my signature.

Thanks, and good luck,

Ryan



__________________

We help organizations with Active Directory Security Audit services.



Member

Posts: 6
Date: Jul 18, 2012
RE: How to audit security rights in Active Directory?
Permalink  
 


Hi Chad,

Have you considered writing in-house scripts to try and dump AD ACLs?

Samuel.



__________________


Newbie

Posts: 2
Date: Jul 20, 2012
How to audit security rights in Active Directory?
Permalink  
 


Hi Chad,

Have you tried this? Its the most capable tool we've come across to audit security rights in Active Directory.

Thanks,

John.



__________________


Member

Posts: 12
Date: Mar 6, 2013
RE: How to audit security rights in Active Directory?
Permalink  
 


Hi Chad,

Performing an audit of security rights in Active Directory is not an easy task. As you know, there are thousands of permissions in even the smallest of Active Directory deployments, based just on the default access rights in Active Directory itself, so trying to make sense of them is not easy.

This is however very important, and I have seen many IT admins trying to figure out who has what permissions where in Active Directory. It turns out though that trying to determine who has what permissions is hardly helpful, because what matters is not who has what permissions but who has what effective permissions in Active Directory.

This is because a user could have multiple permissions, some directly and others based on group memberships, whether direct, or nested, and at the end of the day, the system takes all of them into account to determine the effective access a user has, because allowing or denying a user's request to perform some task in Active Directory.

Thus, if you are looking to audit security rights in Active Directory, my suggesiton would be to determine effective permissions on all critical active Directory objects. To do so, you can use an Active Directory Effective Permissions tool, so you can get the information you need quickly and without having to break your head.

Speaking of which, as JohnC indicated, the Gold Finger for AD Active Directory Audit Tool, is one of the only tools that can correctly determine Effective Permissions in Active Directory. Anyways, which ever you get to it, the key thing is to determine effective access rights, as opposed to who has what permissions.

Best wishes,

Nicolas.



__________________
Bond: There’s a name to die for! (Die Another Day)
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me