Question:
How do I find out who is delegated what administrative access in Active Directory? (Needed for security audit)?
Sara_NY
2009-06-25 12:33:38 UTC
Hi. We have a large Active Directory and many people are delegated access in the tree. Our security compliance auditors want a report documenting who is delegated what access, especially for common tasks such as user account creation, deletions and password resets.

We have been delegating access for many years now, and while delegating access seems easy, it doesn't seem very easy to find out who is delegated what access?

If you too have encountered this situation, and/or have any suggestions, please consider sharing. We only have three weeks to deliver this information, and could definitely use some helpful pointers.

Thank you very much!
Three answers:
anonymous
2009-07-02 17:14:56 UTC
Hi Sara,



We had a similar issue to deal with, in light of an internal security incident involving security privilege escalation in our Active Directory.



Our admins were under the impression that whatever the ACL Editor (and the “Effective Permissions” tab) showed them resultant access correctly.



Turned out to be not quite true. We never realized that in order to accurately get this info, we had to take interesect every permission in the ACL, consider inheritance, denies, nested groups etc. - we'd been struggling with this stuff for a long time now.



So we asked around for solutions that could help us and a Microsoft consultant pointed us to one of their security partners, Paramount Defenses Inc, that has developed an Active Directory delegated access auditing tool called Gold Finger - http://www.paramountdefenses.com/goldfinger.php



It turned out to be very easy and helpful – it took a few minutes to download, install, and run and it immediately showed us who was delegated what access in our domain.



We did come across a few other cheaper tools, such as from Scriptlogic and others, but they all just seemed to show us the security permissions, still leaving us to manually do all the work to figure out the resultant access, so they really weren't useful in this regard.



Gold Finger has saved us a lot of time and effort, and allowed us to easily audit and lockdown access in our Active Directory, which we have started taking seriously after that incident.



So I would recommend trying it out. By the way, I think it can print reports as well, so you might in fact be able to fulfill your delegated access reporting requirements in time for your auditors.



Good luck.

Sam
anonymous
2009-06-26 18:55:46 UTC
Hi Sara,



As a Senior IT admin, I can tell you that this is a common requirement faced by so many organizations running on AD.



Many people think that all it takes is a bunch of scripts, but in fact, this is next to impossible to figure out in Active Directory.



Have you considered Quest's ActiveRoles Server for roles-based delegation? It's a proxy solution meaning it only allows administration via its console. Relative to delegating in AD, it is expensive (Quest's products usually are), may not be as reliable, and requires additional hardware and software to rollout and maintain, but at least it can help you figure out how many admins are delegated access and what roles they have.



Might be worth looking into. Good luck.



- Mike
Synful Visions
2009-06-25 13:09:03 UTC
Since you don't seem to have done this in an organized manner, I would suggest using VBScript to crawl through the user list, query the directory for permissions and delegations, and then write that to a spreadsheet.



I could write the basic script for you if you don't know how, but you would have to modify it for your specific environment.


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...