ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to audit group membership management rights in Active Directory?
Rob


Member

Posts: 7
Date: Jun 20, 2012
How to audit group membership management rights in Active Directory?
Permalink  
 


Hello,

I would also like to know how to audit group membership management rights in Active Directory? Specifically, I would like to be able to audit who has rights to modify/change group memberships in our Active Directory.

This is very important for us, because we have lots of groups, and many people have the ability to change group memberships, either directly, or indirectly, and as a result, we don't really have a handle on what our group memberships look like on any given day.

So basically, what we need is the ability to audit the following group management related tasks in our Active Directory - 

  1. List of all users who can modify existing group memberships
  2. List of all users who can create new group memberships
  3. List of all users who can delete existing group memberships
  4. List of all users who can modify permissions on group memberhips

Now, we've tried performing some basic security analysis in our Active Directory to try and make these determinations but it is proving to be very difficult. There seem to be way too many permissions, permission types, Special Permissions, inherited permissions etc, that are all really hard to put our heads around and arrive at any sort of determination.

In fact, we're not sure how to begin trying to make this determination.

I'm sure others on this forum may have faced this issue as well, so if you'd be inclinced to sharing your experiences, it would be very helpful.

Thank you very much.

-Rob



__________________


Member

Posts: 9
Date: Jun 23, 2012
RE: How to audit group membership management rights in Active Directory?
Permalink  
 


Hi Rob,

We faced a similar situation a few weeks ago, during an audit. We were asked to provide a list of all individuals who had acces to certain file servers, show how they had access (i.e. via which groups memberships) AND provide a list of who all had the ability to manage (basically change) these domain security group memberships.

We first tried to do this internally but quickly found that it was rather time and expertise intensive, so then we tried to get some consultants on board to help out. While they were able to get us a list of which groups had the ability to access the files on the file servers, they too could not fulfill the last requirement, i.e. help us determine who can manage these domain security group memberships.

We finally turned to our MCS contact, and they pointed us to a solution that they thought could help us find out who can modify these group memberships. We gave it a shot, and it turned out to be exactly what we  needed, so we've been using it since. 

Depending on how many security groups you have, you could try solving the problem manually, but if you have a decent number, you may wish to consider other options, as its too painful to try and do this manually, and eac time you need to furnish this data.

Good luck to you.

-J.



__________________


Member

Posts: 10
Date: Jun 23, 2012
RE: How to audit group membership management rights in Active Directory?
Permalink  
 


Hi Rob,

I too agree that its a real pain to try and find out who can do anything at all in Active Directory, let alone trying to find out who can manage group memberships. 

A few weeks ago, we were required to furnish data that effectively documented the list of all the people who could manage our executive accounts. 

First we thought it was a matter of dumping the ACLs on all objects on these accounts and delivering it, but then we found that just the ACL listings were grossly insufficient, because they had permissions which granted (and for some permissions denied) access to some of our security groups, and most of these groups had other groups in them.

So, we ended up realizing the hard way that it is very difficult and complicated to figure out has what access in our Active Directory.

I just wanted to share my experience, to let you know, that you are not alone in facing this issue. I think this issue is common to Active Directory and faced by most admins who are tasked with finding out this info.

We did a lot of research, and finally ended up licensing a 3rd party solution to help us complete the audit.

Anyway, I wish you all the best in figuring it out.

George.



__________________

"There is the finest line between data and evidence" - Dale Adams



Member

Posts: 6
Date: Jun 23, 2012
RE: How to audit group membership management rights in Active Directory?
Permalink  
 


Hi Rob,

We've been there, and done (or rather dealt with) that.

The term for what are you trying to do is called "determining resultant access in Active Directory". You can Google the term to learn more.

This isn't easy to do at all, but it is very important, and doable.

Good luck.

Philippe.



__________________

I'd rather be Skiing!

Rob


Member

Posts: 7
Date: Jun 25, 2012
How to audit group membership management rights in Active Directory?
Permalink  
 


Hi Philippe,

When you say Been there, Done That, do you mean you've found a way to audit group membership management rights in Active Directory?

IF that is the case, could you kindly share how you're doing it?

Thanks much!

Rob.



__________________


Member

Posts: 6
Date: Jul 20, 2012
RE: How to audit group membership management rights in Active Directory?
Permalink  
 


Hi Rob,

Certainly, we're using a tool called Gold Finger for AD to access rights in Active Directory, including to audit group membership management rights.

Here's a link to it in - www.paramountdefenses.com/goldfinger

Philippe



__________________

I'd rather be Skiing!

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me