The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to perform an Active Directory Delegation Audit?


Posts: 1
Date: Aug 12, 2013
How to perform an Active Directory Delegation Audit?


I would like to know how to perform an Active Directory Delegation Audit in our internal corporate environment.

Our organization is a conglomerate of many companies, and we have operations in about a dozen locations in Europe. Over last few years, as we have grown via mergers and acquisitions, we have taken in (added) new domains to our main global forest.

Our administrative model is primarily decentralized, and we have implemented delegations in our Active Directory domains and OUs to facilitate local (regional) managment of IT resources, primarily due to the way our cost-centers are set up.

With an increased attention to cyber security from top-level management, our operational teams are being asked to condut security audits and report back to management. As the core DS team, we are tasked with doing an audit of our administrative delegation model in our Active Directory, and document who has what delegated administrative powers/rights in our Active Directory, across all domains in the forest.

We are a little challenged on how to do this, because although we have a good delegation model on paper, in reality things seems to be far different, and there seems to be no easy way to verify the delegations.

One of our engineers suggested doing an ACL dump of all permissions in Active Directory, andthen analyzing the permissions, but there are 1000s of permissions and we are afraid that doing it that way could take us weeks, not to mention that it seems very complicated and painful to do.

So I was wondering if there is an easy and efficient way to perform such an audit. I know there is a Delegation Wizard in Active Directory, but is there an Active Directory Delegation Audit Wizard as well, that could help us easily audit our delegations.

For current situation, it is okay if we can just report on common delegated tasks like - who can create user accounts, who can reset user account passwords, who can change group memberships, who can delete organizational units (OUs), who can link GPOs to OUs and who can modify the keywords of service connection points (SCPs)?

(The SCP requirement stems from fact that we have an in-house LOB application that is multi-instanced and its clients rely on keyword queries to AD to locate the right instance for a client based on client's geographic location.)

In case it helps, we also make use of some DENY permissions, primarily to ensure that admins from one region cannot administer resources in other regions, so that is adding to our difficulty.

We have 4 weeks to finish the project and submit our findings, so this is a bit time sensitive for us, as we are already 1 week into the project. If anyone can help us out, it would be deeply appreciated.



Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me