How to audit security permissions in Active Directory
Hi. I would like to know what is the most efficient way to audit security permissions in our Active Directory deployment? We have about 2000 objects in our Active Directory, and I believe may have close to 75 ought delegated admins.
In addition, over the past few years, we've granted many access rights to service accounts and while its been easy to grant these permissions with precision, its not been that easy to try and find out who has what access in our Active Directory.
We're looking for an efficient and reliable way to audit permissions in Active Directory, and are all ears for good ideas.
Thank you very much.
__________________
Wherever you go and whatever you do, may the luck of the Irish be there with you.
I think I understand what you're asking, but it is not entirely clear from your post as to which of the two you are interested in -
1. How to find out where a user/group has permissions in Active Directory?
OR
2. How to find out who is actually delegated what access in Active Directory?
These are two related things, but their is a VAST difference between the two.
In short, the first one is not that difficult at all, but the second one is very, very difficult, and in fact requires a lot of time, effort and expertise.
If you can let me know which one you were alluding to, I can share some more info. Having faced a similar challenge last year, I've actually spent quite some time on both, and after a lot of research and countless hours of trying too write scripts, have finally found one solution for both of the above.
Let me know and I'll be happy to share some more information.
Thanks for your help. Your question is rather interesting, because the answer is YES to both.
You see, we are trying to find out who is delegated what access in our Active Directory, and as far as I know, to do so, we need to find out who has what permissions in our Active Directory. (At least, that is OUR understanding of how to do so.)
In short, we need to know who can perform things like controlling the Domain Admins group membership, resetting user account passwords, deleting OUs etc.
I hope this helps and I hope that in light of this you can provide some guidance.
Thank you very much in advance.
Geoffrey.
__________________
Wherever you go and whatever you do, may the luck of the Irish be there with you.
