ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How do view/list/display/report delegated access for a user in Active Directory


Member

Posts: 16
Date: Jun 24, 2012
How do view/list/display/report delegated access for a user in Active Directory
Permalink  
 


Hello,

I would like to know how one can view/list/display/report delegated access for a user in Active Directory? 

We have a single forest, two domain environment, and we've done a fair level of delegation in our Active Directory to try and minimize the number of Domain Admins in our environment.

We have a few contractors who are also delegated varying levels of privilege in our Active Directory, and we need to know what access is delegated to contractors.

To be precise, we need to display and document delegated access for a specific person in our Active Directory, and we need to do so in terms of the administrative tasks they can perform, since they were delegated tasks using the Delegation Wizard in Active Directory.

Is there a delegation reporting capability in Active Directory, or does Microsoft offer any tool to view/display/document delegated access in Active Directory?

If anyone knows of how to do this, we would greatly appreciate your suggestions/experiences with this. This is important and time-sensitive  for us.

Thank you.

Chad.



__________________


Member

Posts: 9
Date: Jun 27, 2012
RE: How do display delegated access for a user in Active Directory
Permalink  
 


Hi Chad,

Unfortunately, there is no delegation assessment/analysis/reporting capability in Active Directory. This is unfortunate, because the delegation ability is awesome, but without a delegation reporting capability, it is very difficult to find out who is delegated what access in Active Directory.

Fortunately, Microsoft at least has a huge partner ecosystem and at our workplace we use an automated solution build by a Microsoft partner to report on Active Directory delegations.

Our only other choice was to write scripts or hire consulting companies to help out. It turns out that even the best consulting companies don't know how to do this. So we licensed the tool to help with this.

Its also not an easy problem to solve, which is why I think there are hardly any solutions in this space.

- Antoin



__________________
Jugez un homme par ses questions plutôt que par ses réponses


Member

Posts: 16
Date: Jan 17, 2013
RE: How do view/list/display/report delegated access for a user in Active Directory
Permalink  
 


Hi Antoine,

Thanks for your input. Indeed, this is a very important problem for us, and we were disappointed to see the lack of an adequate solution in the Active Directory itself. Fortunately, after some looking around, we found a way to get real insight into the state of delegated access in our Active Directory.

As we started looking for solutions, we realized that what we needed was not a way to find out who has what permissions where in our Active Directory, but a way to find out who has what effective permissions in our Active Directory.

This was initially clear, and we got some not-so-good-advice from TechNet forums, which seemed to suggest that in order to determine delegations, we only needed to find out who had what permissions. Fortunately, we came along a helpful write-up that helped us understand the difference, which btw can be found here.

Anyway, along the way we analyzed various tools including dsacls, checkdsacls, Permission Analyzer for Active Directory, LIZA and ADUCAdmin, but none of them could do what we were looking for i.e. help us determine effective permissions in in our Active Directory.

(Interestingly, some of these tools claim to be able to do effective permissions, but they're just showing all the ACEs that apply to a given user, basically leaving us to do all the work ourselves. We were a bit surprised that the vendors of these tools did not seem to know what effective permissions actually mean.)

To make a long story short, we've found what we're looking for and are now happy campers.

Cheers,

Chad,

 

 



__________________
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me