The world's most trusted forum on Active Directory Security
We are working on auditing the security on all vital files in file-servers, and we've noticed that on most files access has been provisioned user Active Directory security groups.
While we are able to determine who can modify these files on our file-servers, we're struggling with trying to find out who all in our environment could possibly change the membership of our Active Directory groups, so as to then be able to gain access to all files protected by a particular group.
We figured it was just a matter of looking at the ACL of the Active Directory security group, ut we find ourselves staring at a bunc of permissions that we're not sure how to analyze correctly to make this determination.
We're thinking there has got to be an easier way to determine who can change/modify the membership of our Active Directory security groups.
Do you guys face a similar problem, and if so how do you address it?
Thank you for your help.
It turns out that it is a lot easier to determine who has can modify files on file-servers, than it is to find out who can modify the Active Directory group memberships used to protect these files.
This is because Active Directory's access-control model is far more granular, and thus far more sophisticated than the file-system's access-control model.
In terms of how to determine this, it boils to two choices - 1) invest a substantial amount of time, effort and expertise to write in-house scripts to try and make this determination or 2) use an automated solution designed to address this problem.
Most companies I have worked with end up trying 1) but ultimately realize that its just not time/cost efficient to try to do this internally, so they end up with 2).
As for 2) unlike other easier problems in Active Directory, such as basic Active Directory reporting, for which there are many solutions available, for this problem, there is only one solution that I'm aware of.
Its worth mentioning that there are some solutions that claim that they can solve this problem, but in fact, they're merely showing you who has what permissions, so they don't actually solve the problem, but in fact take you 1 step ahead, and still leave 9 steps to climb yourself.
In essence, there is an easier way to determine who can change/modify the membership of our Active Directory security groups, which is to use an automated solution, but care must be taken in selecting the right solution, because there are many that claim to solve this problem.
I hope my input was helpful. Good luck with your search.
I'd rather be Skiing!
Thanks for your notes. Certainly helpful.
I've been looking for a while but have not found any automated solution to help me easily find out who can really change/modify an Active Directory group's membership?
I mean, we came across some solutions that claim to show us who can do what in Active Directorybut upon closer inspection, they're just showing us the ACLs / who has what permissions in Active Directory, which is the Step 1 you're referring to. With that info, I'm still left do all the work myself to find out who can really do what in Active Directory.
Have you been looking around for such a solution too? If so, have you found anything that actually can show us who can really do what in Active Directory?