The world's most trusted forum on Active Directory Security
I am in search of an Active Directory Access/Delegation Verification Tool, as we have a need to be able to verify an important set of delegations in our Active Directory.
The situation is that we recently had a change of guard (i.e. change of admins) since we changed the IT company to which we outsource the management of some parts of our Active Directory, and now we need to find out what all access the old IT admins have in our Active Directory.
Earlier we thought it was just a matter of finding out what permissions their individual accounts have in the Active Directory, and that we were able to do using dsacls, but then we found that many of these admins also have permissions granted to them via group memberships.
So we figured we might try to enumerate their group memberships, but it turns out that there is extensive group nesting and it is a little complicated to determine who belongs to which group memberships and/or all the groups to which a given user belongs
We've invested a decent amount of effort but are not seemnig to get anywhere, so I thought I would try and find some sort of a way to verify delegated access in our Active Directory. Unfortunately, while there are many resources available to be able to list and dump AD ACLs, there does not seem to be anything that can help us verify delegations in Active Directory.
All that we need is the ability to easily and reliably enumerate/list who is delegated what administrative tasks in our Active Directory, whether directly or based on any of the groups (inclding any nested groups) to which they might belong.
We don't have any more resources to be able to spend weeks trying to analyze the 1000s of Active Directory permissions to try and figure this out the hard way. (Its too painful.)
Does anyone know of any tool/solution that could be used to verify our delegations easily? Ideally something that can just tell us, hey this is the list of IT admins who can create accounts, and this is the list of IT admins who can apply GPOs to an OU etc?
If so, it would be greatly useful and much appreciated.