• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

Auditing Administrative Access on Windows Network

Hi folks!

We run an Active Directory network based on Windows Server 2008 R2 x64 servers and Windows 7 Enterprise x64 client machines. If a user has been a member of the Domain Admins group, and then leaves the company, is there an easy way to "audit" our Active Directory environment to make sure this user has not created any other accounts with elevated privileges or left any other "back doors" they might use for access?

1 Solution
I believe that Windows "timestamps" entries in ActiveDirectory with their last modification date, but this attribute is not directly visible from the normal administrative GUIs.  You will need to use a scripting/reporting tool that will expose that information to you.

I'm fairly certain that you can do it with Powershell.  You could also find Vbscript routines which can print out a list of users and their attributes (including modification date).  You will probably want to format the output so you can more easily review in another tool.  Say CSV format that you will open in Excel.

You will also need to do reporting / analysis of the domain groups, which ones have administrative privileges, and who are in those groups.

Good luck.
Mike KlineCommented:
First check all elevated groups (domain admins, enterprise admins, schema admins, account operators, etc.)  If anything looks out of place investigate it.

Use something like the ACL scanner tool to check your AD ACLs/permissions

Check workstations and policies to see who has admin rights on workstations.

Lastly do you allow remote access (VPN/Direct Access/Web Apps, etc).  Make sure any accounts the admin had on any of those devices are disabled.   Spot check the devices for any accounts that don't look right.


SandeshdubeySenior Server EngineerCommented:
In addition first of all users should be not added to domain admin groups for security reasons.If there are multiple users still added I will recommend to remove the same.

As other suggested you need to look for script to check which object was created by userid in question.Also remove the user from default admin group first as already suggested.

If you want to delegate certain activity to couple of users in AD that fine and the same can be achived by delegating control instead of adding the user to admin group.

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986

Best Practices for Delegating Active Directory Administration  http://www.microsoft.com/en-us/download/details.aspx?

You can also install RSAT(Win7) and adminpak(WinXP) to manage the delegated control no need to login to DC.

You should also enable auditing to track the activities caried ot by these users.In order to find out changes, creation or deletion events, you must keep the “Account Management” auditing enabled.

Apart from the auditing, you can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships.
NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html
Quest: http://www.quest.com/changeauditor-for-active-directory/

How to View or Delete Active Directory Delegated Permissions
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now