We help IT Professionals succeed at work.

AD permissions audit

333 Views
Last Modified: 2012-08-13
Are there any tools in Active Directory that can help determine:

Who can create new users in AD
Who can delete/disable users in AD
Who can change/reset passwords for existing users in AD
Who can create groups in AD
Who can add new members to groups in AD/remove members from groups in AD

Am I correct in thinking it’s a layered structure, i.e. someone could perhaps create a user in a certain “layer” of AD, whereas others could create a user at a more powerful/higher layer. Same with creating groups, changing passwords, adding users to groups etc. Are there any tools that could assist with this kind of fact finding?

From a security angle, are there any additional “permissions” above and beyond:

Who can create new users in AD
Who can delete/disable users in AD
Who can change/reset passwords for existing users in AD
Who can create groups in AD
Who can add new members to groups in AD/remove members from groups in AD

That you’d check for who can do this. Or would these be seen as the higher risk.
Comment
Watch Question

Author

Commented:
ANd who can "re-anable" or undisable locked/disabled accounts?
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
How will RSOP "show" who can do such permissions?

Can you show an example of how RSOP shows which users can change/reset which users passwords - as one example?
CERTIFIED EXPERT
Top Expert 2013
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
When you say deprecated in 2008, does that mean the OS version the domain controller is housed on? I.e. if the DC is on 2003 then it will work, if its on 2008 then it wont?

Author

Commented:
And just as a quick yes/no - can any member of a global security group add another user into it? Or what determines which users can add new users into a security group? So if I am in a group called "payrolldata" can I add a new user into payrolldata - or not? What determines if I can or cant?

Author

Commented:
Also, do you have to run DSrevoke per user, or per permission. I.e. what is the parameter.

I.e. if you want to see which users can create new users - can DSrevoke say here are the users that can do that.

Or is it more you specify a group or user and DSrevoke says these users can do this this and this.

It would be better the first way round, i.e. the paramter is the permission, and the output is the users with that permissions. As opposed the parameter being the user/group, and the output being the permissions granted to that group.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.