ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to audit access granted to a specific user/identity in Active Directory?


Member

Posts: 16
Date: Jun 4, 2012
How to audit access granted to a specific user/identity in Active Directory?
Permalink  
 


Hello Forum,

We would like to know how to audit access granted to a specific user/identity in Active Directory?

We were conducting an Active Directory security audit and are trying to determine which users are delegated what access in our Active Directory?

Specifically, we have some users from a vendor to whom we had delegated access rights a few months ago in some of our OUs. Basically, we used had  the Delegation Wizard to delegate basic account and group management tasks. 

Over the months, some of our admins have changed the access to some of these groups, as well as to some users individually. These were mostly done to provision access for some urgent access requirements that came up.

Now, we're not sure who can perform which tasks in our Active Directory, and this is franky quite concerning. We are thinking about cancelling the vendor's contract and worry that some back door or hidden permission or the like might get left over when their access is terminated.

So we would like to be able to access exactly what access rights / security permissions / privileges are delegated to these users.

If anyone has any suggestions on how to accomplish this in a simple way, that would be really helpful and appreciated.

Thank you.

Jeremm



__________________
Driod Rules!


Member

Posts: 18
Date: Jun 26, 2012
RE: How to audit access granted to a specific user/identity in Active Directory?
Permalink  
 


Hi Jeremy,

Your concerns are valid, and its a little unfortunate that while Active Directory gives us the ability to delegate access so precisely, it lacks the ability to also show us who is delegated what access.

Fortunately, there are some options you have here, and there's always a cost-effort trade-off, so depending on how much effort you're willing to put in, you could solve the problem with a basic Microsoft utility like dsacls and a fair amount of repetitive work, or you could use an advanced 3rd party solution that completely automates the process of making such determinations.

If you could give me a sense of how much flexibility you have around a cost-effort trade-off, I think I could share some specific options with you, that could help you meet your needs.

Take care,

Nathan



__________________
Today is the tomorrow we worried about yesterday


Member

Posts: 16
Date: Jun 29, 2012
RE: How to audit access granted to a specific user/identity in Active Directory?
Permalink  
 


Nathan,

Thanks for your help. As for our question, we do have sufficient flexibility, in that we're open to all suggestions.

Realistically, we don't have the man-power or the bandwidth to do lots of manual in-house work, but we do have the budget to acquire the right solutions for the job.

Interestingly, our IT management has adopted the policy that its best to have a fewer but good IT admins and empower them with the tools they need to do the job, than to have lots of IT admins, and have no budget for anything else.

I think the premise is that its all about how many people they can "trust" their security with, so they'd rather minimize that # and enable them with all the right tools (which cost a fraction of hiring another admin anyway) to do the job well.

So, if its a little bit of in-house work, we're up for it, but we'd rather it be some sort of an automated solution that can just be deployed and solve the problem, because we don't want to break our heads too  

Thanks. I'll look forward to your suggestions.

Jeremy.



__________________
Driod Rules!


Member

Posts: 18
Date: Feb 5, 2013
How to audit access granted to a specific user/identity in Active Directory?
Permalink  
 


Jeremy,

Like most IT problems, this one is solvable manually, but you'll need to put in a lot of time and effort if you want to solve it manually. The upside of doing it manually is that you'll end up learning alot about all the nitty-gritties of Active Directory security and that's a good skill to have! The downside of doing it manually is that unless you have a small Active Directory, you might have white hair by the time you're doing it manually,

Jokes aside, we struggled with this for the longest time. We tried many tools including dsacls, accesschk, adfind, ad info, LDAP explorer, ADUCAdmin, AD Admin Plus, Permissions Analyzer from Solar Winds etc etc. but with all of them, we still ended up basically with the same problem - trying to determine effective rights in AD on our own and that was quite painful.

Then one day, almost fortuitously, while casually browsing the web, I happened to came across this Active Directory Audit Tool. Turns out it basically automates determining effective rights in Active Directory, which is all that we needed to find out who is delegated what access in our OUs.

To make a long story short, we've been using it for quite some time now and its pretty cool. If you don't have the time to break your head on this problem, you now have an option. Only thing is that its a bit pricy, so if you do what I did (told my manager that we could show a lot of security and access improvements on his clock), you shouldn't have a problem there as well.

I've been in IT for almost 12 years now and what I love about IT is that for almost every IT problem out there, there's almost always a tool out there designed to solve that very problem!

Cheers,

Nathan



__________________
Today is the tomorrow we worried about yesterday
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me