The world's most trusted forum on Active Directory Security
We would like to know if there is any easy way to document the list of all delegations in Active Directory in a PDF report that can be furnished as evidence to fulfill internal audit needs.
We have a fair amount of delegations done in our Active Directory over the years, and we've been tasked with acquiring and implementing the means to both a) audit who delegations in Active Directory and b) have a record of when a delegated individual performed a specific administrative task.
We figured a) was just a matter of finding a solution that can generate PDF reports based on delegations in Active Directory, and for b) we're on the lookout for a good auditing tool.
In regards to a) how does one go about generating PDF reports that document all delegations currently performed in Active Directory?
As always, all inputs appreciated.
If I had to summarize your need, I think what you're saying is you need the ability to a) audit delegations in Active Directory and b) have auditing in place as well so you can have proof generated when someone performs a delegated task.
Let me start with b) because that is simpler to accomplish and ou have any options. What you need is to enable auditing in Active Directory, and ideally have some means of having all the audit events on all the Domain Controllers be collected and displayed in a single user-interface, so you don't have to see audit-logs on all DCs yourself. There are many options for this and I can suggest some if you're interested.
Now, as for b) i.e. the need to audit delegations in Active Directory, that is actually much more (about 10x more) difficult than having a distributed auditing infrastructure in place, because trying to audit who has what delegated access in Active Directory is very difficult, time-consuming and error-prone. There are basically two options to this, one being to do it yourself manually, and the second being to use an automated solution that can determine "resultant access in Active Directory"
b) i.e. the need to audit delegations in Active Directory is also more important than auditing itself, because you'd rather know and reduce the number of people who could do something bad, than have them do something bad, and then have a record of it. (Prevention is always better than security incident investigation.)
Let me know if you need some recommendations in regards to a) and b) and I'll be happy to provide some.
“If you can't explain it simply, you don't understand it well enough” - Albert Einstein
I have to say you've really understood and summarized my need so well.
Indeed, what I am trying to do is both audit delegated access and have auditing in place. I have been able to figure out what to audit, but I have not been able to figure how to audit who has what delegated access.
Would you be so kind as to let me know how you audit who has what delegated access in your Active Directory?
If you're looking to find out who is truly delegated what access in your Active Directory, then the only way I know of to do this correctly and efficiently is with this tool (Gold Finger for AD.)
It is the only tool I know of that can correctly analyze Active Directory permissions and show who is actually delegated what access in Active Directory. I first came across it here while looking for an easy way to generate Active Directory security reports.
We use it in our own environment as well, and it's quite a versatile tool. It lets us do everything from viewing and analyzing ACLs to looking for specific permissions in our domain, and from analyzing effective permissions on AD objects to assessing effective delegated access in our OUs.
I hope this helps. Good luck buddy.