troubleshooting Question

AD permissions audit

Avatar of Pau Lo
Pau Lo asked on
Active DirectoryOS SecurityMicrosoft Server OS
7 Comments2 Solutions334 ViewsLast Modified:
Are there any tools in Active Directory that can help determine:

Who can create new users in AD
Who can delete/disable users in AD
Who can change/reset passwords for existing users in AD
Who can create groups in AD
Who can add new members to groups in AD/remove members from groups in AD

Am I correct in thinking it’s a layered structure, i.e. someone could perhaps create a user in a certain “layer” of AD, whereas others could create a user at a more powerful/higher layer. Same with creating groups, changing passwords, adding users to groups etc. Are there any tools that could assist with this kind of fact finding?

From a security angle, are there any additional “permissions” above and beyond:

Who can create new users in AD
Who can delete/disable users in AD
Who can change/reset passwords for existing users in AD
Who can create groups in AD
Who can add new members to groups in AD/remove members from groups in AD

That you’d check for who can do this. Or would these be seen as the higher risk.
ASKER CERTIFIED SOLUTION
Miguel Angel Perez Muñoz

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 2 Answers and 7 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 2 Answers and 7 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros