The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to View / List / Audit Delegated Access Rights in Active Directory


Posts: 8
Date: Jan 3, 2013
How to View / List / Audit Delegated Access Rights in Active Directory


We are in the middle of incorporating Active Directory Security Audits as a part of our regular internal security audit processes, and as I had indicated, we were trying to determine what all to cover in an Active Directory Security Audit.

One of the key things we've been asked to audit is delegated access rights in our Active Directory. Specifically, management would like to know who is delegated the ability to carry out sensitive operations in our Active Directory, like account creations, password resets, OU deletions and group membership changes.

We have a fair amount of delegation in our Active Directory that have been put in place over time over the last few years, and unfortunately there's not much in the way of internal documentation, so while some of our IT admins have an estimated idea of who might be able to take these actions, we don't really know for sure, and so this is one of the things we're trying to get to the bottom of.

This is quite important for us as this now has upper management visibility, so we're looking for ways to audit delegated access in our Active Directory. Before we start investing serious time and effort into this, I thought I'd check to see if there's an easy way to do this, because we're quite time and manpower constrained, given the economy.

If anyone has any experience in this regard, we would be thankful for any suggestions.

Thank you.



I would trade all my technology for an afternoon with Socrates - Steve Jobs

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me