ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to audit delegated administrative access in an Active Directory OU?


Member

Posts: 8
Date: May 31, 2012
How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Hello,

I would like to know how to go about auditing delegated administrative access on an Organizaitonal Unit (OU) in Active Directory? 

We are in the midst of performing a quarterly review of delegated access, and are finding it difficult to determine precisely who is delegated which administrative tasks?

For example, we're trying to get a sense of how many people can perform password resets and how many people can enable stale accounts.

It appears that although you can conceptually delegate tasks, it all boils down to the Delegation Wizard applying security permissions on AD objects.

So how do we go about analyzing these security permissions in our Active Directory, and then how do we subsequently determine who is delegated what tasks?

Its turning out to be much more complicated and time-consuming than we initially planned and budgeted for, so hitting a road-block with this.

Would appreciate any udeas/suggestions.

-R



__________________

Go Proteas... we are the champions!  (; and some boring stuff.)



Member

Posts: 16
Date: Jun 22, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Rossi,  

Have you considered writing scripts or using Powershell? Agreed, these may not be the most efficient or reliable way to go, but they're certainly A way.

Just my 2c.



__________________


Member

Posts: 8
Date: Jun 22, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Hi Aaron,

Thanks for your 2c. Yes, we did try both scripting as well as PowerShell.

Unfortunately, it turns out that the problem is quite difficult to solve and neither Scripting nor PowerShell could help us figure this out. 

There were numerous challenges we came up with, such as the presence of a very large number of permissions, access granted to various individuals and groups, groups nestings, Special permissions, etc, just to name a few, and after a few weeks of effort we gave up trying. 

We also tried to hire a few consultants to help, but the only thing we got out of them was a big fat bill and a bunch of permission reports, which were no good.

So, if anyone knows of a way to solve this problem, we're all ears.

Thanks,

Rossi.



__________________

Go Proteas... we are the champions!  (; and some boring stuff.)



Member

Posts: 21
Date: Jun 26, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Hi Rossi,

Trying to audit delegated administrative access in Active Directory is a very difficult problem, but most organizations aren't aware of the magnitude of the challenge involved in doing it, because most organizations have never attempted to make this determination.

As you have experienced first-hand, the sheer number of factors one has to take into account makes it almost impossible to make this determination in any reasonable time-frame or with any level of accuracy.

We spent a good time of time last year trying to solve the same problem, and after months of trying to solve it ourselves, using scripts, trying PowerShell, using consultants, we nearly almost gave up.

Then, one day last Summer, while visiting Haifa, I happened to mention the challenge to a friend at Microsoft, and they pointed me to one of their partners, that happens to specialize in solving this very challenge.

We tried their solution, and it worked like a charm. We licensed it within weeks, and have been using it since. It has been a life-saver for us, given the need to deliver security while dealing with reduction in budgets.

Let me know if this can help, and I'll be happy to point you in its direction.

Sincerely,

Ishmael.



__________________

There isn't a system that cannot be broken into.



Member

Posts: 8
Date: Jun 28, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Hello Ishmael,

Yes, that would certainly help. This is very important and time-sensitive for us, so anything we can meet this need with would certainly help.

Thanks!

-Rossi



__________________

Go Proteas... we are the champions!  (; and some boring stuff.)



Member

Posts: 6
Date: Jun 29, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Rossi,

Have you considered ActiveRoles Server? It could help you answer these questions.

Vladmir.



__________________

Да здравствует Россия!  Министерство обороны Российской Федерации



Member

Posts: 5
Date: Jul 8, 2012
How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Hello Rossi,

Auditing delegated administrative access is an essential component of any Active Directory Security Audit, and in fact no Active Directory Security Audit should be considered complete without it.

This is especally important because of the increasing risk of advanced threats like Security Privilege Escalation in Active Directory, which any user in the environment can carry out with the right  tools.

Fortunately we cover this in our Active Directory Security Audit Services, so if we can help, please feel free to look us up and let us know. Our contact info is in my signature.

Thanks, and good luck,

Ryan



__________________

We help organizations with Active Directory Security Audit services.



Member

Posts: 6
Date: Jul 18, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Rossi,

I would stay away from Active Roles Server. It is not only very expensive, but it does not actually solve the problem. In fact, it only adds an additional service to take care of, not to mention deploying agents on your DCs!

With so much stuff tied to native updates to Active Directory content, you'll always have the need to audit delegated access natively in your Active Directory, and Active Roles Server is certainly not going to solve that problem for you.

My input is based solely on having worked with numerous AD deployments here in the UK. For good or bad, there's just too much Microsoft stuff tied natively to AD

Samuel.



__________________


Member

Posts: 15
Date: Jul 23, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Rossi,

I would have ordinarily pointed you to a fine free tool called LIZA with which you can look at Active Directory ACLs, and possibly analyze them as well, BUT...

... I would be wasting your time if I did so, only because LIZA will only help you find who has what permissions. It turns out that finding out who has what permissions in Active Directory is NOT the same as finding out who is delegated what administrative access in Active Directory.

So, even if you end up finding out who has what permissions, you have to manually determine effective permissions on all objects, object by object, to try and find out who is delegated what access. This process can easily take weeks in even a small Active Directory, so its hardly efficient or useful.

I just wanted to share my experience in having tried it. Doesn't work.

Thanks,

Joel.



__________________
Don't mess with my Alienware!


Member

Posts: 8
Date: Aug 29, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Joel,

Thanks for sharing your experience. That's a very good point, and one that I didn't think of. 

We guys are pretty under-staffed and certainly don't have the time or the resources to determine effective permissions on all of our AD objects (assuming its just a matter of using the Effective Permissions tab) as that could easily take us weeks like you point out.

There's got to be a more efficient way to do this. I mean this is important stuff.

Did you find anything else that CAN do this?

Rossi. 



__________________

Go Proteas... we are the champions!  (; and some boring stuff.)



Member

Posts: 15
Date: Aug 31, 2012
RE: How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Rossi,

Sorry for getting back to late, mate. I was on vacation, enjoying the Summer, and just got back. (I had accumulated so much leave, that I didn't really have a choice other than to take some time off. It was fun overall - caught up on some reading, movies and kayaking.)

Just before I left, we finally found something that CAN actually do this! We started looking for a tool that could help us analyze effective permissions correctly so we just Googled "Accurate Active Directory Effective Permissions Analysis", and chanced upon a tool called Gold Finger for AD.

It turns out that this tool is developed by a Microsoft directory services partner and that it is designed specifically to do just this i.e. find out who is delegated what administrative access in Active Directory.

We downloaded a free trial, and we liked it so much, we ended up licensing it. Exactly what we were looking for. It wasn't cheap, but compared to how much our regular consulting company wanted to do these access audits for us, it was quite affordable and a no-brainer.

- Joel.



__________________
Don't mess with my Alienware!


Member

Posts: 12
Date: Mar 6, 2013
How to audit delegated administrative access in an Active Directory OU?
Permalink  
 


Hi Rossi,

This is a very important question, and indeed one that all of us should have answers to, because unauthorized delegated access rights in Active Directory can be a huge liability, as they pave the path for insiders to escalate their privilege in Active Directory.

This is also not an easy problem to solve, because there are so many complexities involved, such as the analysis of 1000s of permissions, expansion of numerous nested security groups, detection of conflicting permissions (allow vs. deny, inherited vs. explicit etc.) so it can take up a considerable amount of time and effort to figure this out correctly.

Fortunately, as Joel mentioned, Gold Finger is the only Active Directory Audit Tool I know of that can completely automates finding out who is delegated what access in Active Directory. This is one of those problems that is best solved by automation, so in that sense this tool could be very useful and save a lot of time.

There are obviously other ways to solve the problem too, but they all involve lots of time and effort, because of the number of things one has to do to figure this out. Irrespective of how you solve it though, this is a very important problem to solve because it impacts foundational security.

Best of luck to you.

Nicolas.



__________________
Bond: There’s a name to die for! (Die Another Day)
Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me