How do I find out who is delegated what administrative access in Active Directory? (Needed for security audit)? - active directory audit tool
Hello. We have Active Directory, and many people have delegated access to the tree. Our compliance examiners want security, a report documenting what delegated access, an especially for routine tasks such as creating user accounts, deleting and password.
We have delegate access for many years, while the access and the delegation seems easy, not easy to guess who is delegated what access?
Even if you encountered this situation and / or a proposal, please keep in mind share. We only have three weeks to this information, and in any case, some helpful hints could be used.
Thank you very much!
2 comments:
Hi Sara,
We had a similar problem in relation to an incident of Homeland Security on the security of the increase of permissions in Active Directory.
Our directors have the impression that shows regardless of the ACL editor (and the "effective permissions" click) the resultant is correctly accessed.
Proved to be not quite right. We never see that just to obtain this information, we have taken interesect all permissions in the ACL to consider the legacy that refuses to nested groups, etc. - who are struggling already with this problem now for a long time.
So we asked around for solutions that could help us and as a consultant for Microsoft, said one of the security partner, Paramount Defenses Inc., which develops a delegate Active Directory access auditing tool called Goldfinger - http:// www.paramountdefenses. com / Goldfine ...
It proved to be very simple and useful - took a few minutes to download, install and run immediately, and showed us what was given access to our territory.
It wasby some other tools are cheaper, such as ScriptLogic, and others, but all seemed to us the security permissions, it comes back at all the work is done manually, to determine what access, so not really useful in this context.
Goldfinger saved us much time and effort, so you can easily check, and blocked access to Active Directory that has begun to take seriously after this incident.
I recommend trying. By the way, I think you can print reports as well, so you might actually be able to transfer its reporting obligations regarding access to time to their listeners.
Good luck.
SA
Hi Sara,
As a senior IT manager, I can tell you that this is a common requirement that many organizations see who is on AD.
Many people think that everything you need is a bunch of scripts, but in reality it is almost impossible to find in Active Directory.
Have you considered Quest ActiveRoles Server functions based on the transfer? Proxy is a solution, which means that it provides through its management console. Products for the Delegation of the year is expensive (typically Quest), may not be as reliable and requires additional hardware and software for the delivery and maintenance, but at least know how you can help administrators access is limited to the number and tasks they delegated.
Might be interesting to explore. Good luck.
- Mike
Post a Comment