ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to find out who is delegated what access on an Organizational Unit (OU) ?


Member

Posts: 14
Date: Dec 14, 2010
How to find out who is delegated what access on an Organizational Unit (OU) ?
Permalink  
 


Hello all,

Please excuse my English. I am wanting to know how to find out who all is delegated what tasks in our corporate OU? We have a small OU structure with a total of about 11 OUs, and amongst our OUs we have about 700 domain user accounts, 900 domain computer accounts and approximately 200 security groups.

We are in the process of doing a review of our security, and management has asked for a report that documents who all has what privileges in our corporate Active Directory, especially for important areas like account and group management.

We started looking at the ACLs but there are so many, and besides just looking at these permissions does not appear to be painting correct picture. I mean, we have some deny permissions, used some nested groups for delegating access, and now to try and find out who is having what effective permissions is becoming very difficult.

If you have some experience in the area, or any ideas on how to review this, I will be thankful for your help.

Thank you.
Manuel



__________________
Eu amo futebol! Go Ronaldinho!


Newbie

Posts: 3
Date: Jun 27, 2012
How to find out who is delegated what access on an Organizational Unit (OU) ?
Permalink  
 


Hello Manuel,

I believe you've come to that inevitable point in Active Directory management when you are required to possess and demonstrate knowledge of who is delegated what administrative access in Active Directory.

As fundamental as this requirement sounds, this unfortunately happens to one of the most difficult requirements to fulfill and one of the misunderstood problem to solve. 

In my experience, I have found that 90% of all IT admins, managers and consultants make the classic mistake of assuming that who has what permissions in Active Directory IS THE SAME THING as who is delegated what administrative access in Active Directory.

This classic fallacy is the reason that in most Active Directory deployments today continue to be exposed to the risk of compromise stemming from the identification and misuse of rampant unauthorized administrative access.

There is only one way to actually answer this question, and that is to determine "resultant access in Active Directory" (; you can Google the term.)

The short of it is that in order to determine who is delegated what access in an OU, you have to determine effective/resultant access on all objects in the Active Directory, first in terms of the security permissions, and then in terms of administrative tasks, and that is one of the most difficult things to determine accurately.

(It is very easy to inaccurately determine it, because there are only a 100 or so things you have to precisely take into account.)

This problem is not one that can be solved manually, but one that by virtue of its nature (expanse and complexity) can only be solved by automation.

So your best best it is to acquire and use an automated solution that is designed to solve this very problem i.e. help you determine effective/resultant delegated access in your Active Directory.

Good luck to you. Hopefully my input helped.

-Wade.



__________________


Member

Posts: 5
Date: Jun 29, 2012
RE: How to find out who is delegated what access on an Organizational Unit (OU) ?
Permalink  
 


Manuel,

Have you considered the Permissons Analyzer from SolarWinds? I haven't tried it but I remember one of my colleagues mentioning it. Maybe it could help you find out who is delegated what access on an Organizational Unit?

John.



__________________

If winning isn't everything, why do they keep score? 



Member

Posts: 14
Date: Jun 29, 2012
RE: How to find out who is delegated what access on an Organizational Unit (OU) ?
Permalink  
 


John,

We did look at Permission Analyzer from Solar Winds, and were quite disappointed, because it has NOTHING to do with finding out who is delegated what access in Active Directory. 

The only thing it does is help figure out who has what access on files/folders i.e. NTFS permissions.

Its marketing seem to indicate that it can help determine Effective Access in Active Directory as well, but that was not the case at all.

Thanks for the suggestion though.

Manuel.



__________________
Eu amo futebol! Go Ronaldinho!


Member

Posts: 14
Date: Jun 29, 2012
RE: How to find out who is delegated what access on an Organizational Unit (OU) ?
Permalink  
 


Hi Wade,

Thanks for such a good explanation. Do you happen to know of any automated solution that can help me find out who is delegated what access on an Organizational Unit (OU) ?

Thanks!

Manuel.



__________________
Eu amo futebol! Go Ronaldinho!


Newbie

Posts: 3
Date: Jul 22, 2012
How to find out who is delegated what access on an Organizational Unit (OU) ?
Permalink  
 


Hi Manuel,

Yes, I'll be happy to point you in the right direction, but before I do so, I just wanted to share something very interesting with you.

If you take a look at this thread on Microsoft's website, it is absolutely clear that even Microsoft employees don't know how to determine delegated access in Active Directory, which is shocking! - 

http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions-en-us.aspx

 

Even they are making the mistake that everyone makes in determining delegated access in Active Directory i.e even they are mistaking "Who has what permissions in Active Directory" for "Who is delegated what access in Active Directory"

Here is an article/example that illustrates this difference - Challenges in Assessing Delegated Access in Active Directory

 

I cannot over-emphasize enough that "Who has what permissions in Active Directory" is ABSOLUTELY NOT THE SAME AS "Who is actually delegated what access in Active Directory."

The difference in the two is the difference between night and day, and those who rely on just knowing who has what permissions in Active Directory may be leaving their Active Directory exposed to risk.

  

That said...

So, the only way I know of to correctly determine delegated access in Active Directory is via the use of the Gold Finger Active Directory Security Audit Tool.

 

Shocking to see even Microsoft employees not know the difference!

- Wade.



__________________


Member

Posts: 21
Date: Feb 25, 2013
RE: How to find out who is delegated what access on an Organizational Unit (OU) ?
Permalink  
 


Hi Manuel,

Trying to find out who is delegated what access in Active Directory is a difficult task, because it involves the accurate determination of effective permissions on Active Directory objects and that is a very difficult thing to do.

This is also a largely misunderstood concept, because many IT admins end mistaking finding out who has what permissions in Active Directory to finding out who has what effective permissions in Active Directory, and as a result end up with incorrect data.

It is also unfortunate that some tools (e.g. LIZA and ADUCAdmin) claim to be able to do effective permissions in Active Directory, but unfortunately don't do so at all, thereby misleding IT admins. For instance, these tools only show you which ACEs in an object's DACL apply to a given user, and that is unfortunately not the same as true effective permissions, and is thus inaccurate.

There is a good write up on how to correctly view delegated access rights in Active Directory here. On a similar note, if you are looking to audit elevated access rights in Active Directory, there is also some helpful info here.

As Wade indicated, the only tool I know of that can accurately determine effective permissions in Active Directory, and thus determine and reveal who is truly delegated what access in Active Directory is the Microsoft-endorsed Gold Finger Active Directory Audit Tool.

I hope this helps.

Ishamel.



__________________

There isn't a system that cannot be broken into.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me