Solved

Active Directory Security Group audit

Posted on 2009-04-13
3
337 Views
Last Modified: 2013-12-05
If possible, I would like to run a script or util that would generate a report of what AD Security Groups have access to, etc, etc

We want to consolidate security groups in a 2000 domain but have no idea what each of these Groups is for, what access permissions, and any other info that might be helpful in Doc'ing these AD Security Groups.

MattP
0
Comment
Question by:mmperry
3 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 24132303
I am afraid that is not  possible since the permissions you are talking about are given per resource and each resource is responsible to maintain its own permission.

Active Directory just handles the authentication part
0
 
LVL 18

Accepted Solution

by:
Americom earned 500 total points
ID: 24135135
Unless your AD Admin has always update the group with description and info indicating what the group is for, otherwise, you would need to find out from all your servers(apps/file/print/web/etc) and see if the AD security groups were used. Most likely some digging will be needed.

You can download ShareEnum utility utility to find out all the shares you have in your domains within a few minutes. Download it from here: http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
knowing the shares in all your machines would be a good start as it will show you what security groups or users would have granted access etc.

You can use a free tool "SubInACL" from Microsoft:
http://www.microsoft.com/DownLoads/details.aspx?familyid=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en
SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

http://technet.microsoft.com/en-us/sysinternals/bb664922.aspx
This tool shows you the accesses the user or group you specify has to files, Registry keys or Windows services

or if you want to spend some $ on another product specifically for file server from ScriptLogic:
http://www.scriptlogic.com/products/security-explorer/

Or if you have the more $ to spend, you can get the ESR from ScriptLogic:
http://www.scriptlogic.com/products/enterprisesecurityreporter/
This product is more than just for file/folder permission, it is also to report Active Directory object status etc.
0
 

Author Closing Comment

by:mmperry
ID: 31569604
Thanks
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question