Auditing Administrative Access on Windows Network

Hi folks!

We run an Active Directory network based on Windows Server 2008 R2 x64 servers and Windows 7 Enterprise x64 client machines. If a user has been a member of the Domain Admins group, and then leaves the company, is there an easy way to "audit" our Active Directory environment to make sure this user has not created any other accounts with elevated privileges or left any other "back doors" they might use for access?

Thanks,
Ithizar
IthizarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bill1965Commented:
I believe that Windows "timestamps" entries in ActiveDirectory with their last modification date, but this attribute is not directly visible from the normal administrative GUIs.  You will need to use a scripting/reporting tool that will expose that information to you.

I'm fairly certain that you can do it with Powershell.  You could also find Vbscript routines which can print out a list of users and their attributes (including modification date).  You will probably want to format the output so you can more easily review in another tool.  Say CSV format that you will open in Excel.

You will also need to do reporting / analysis of the domain groups, which ones have administrative privileges, and who are in those groups.

Good luck.
0
Mike KlineCommented:
First check all elevated groups (domain admins, enterprise admins, schema admins, account operators, etc.)  If anything looks out of place investigate it.

Use something like the ACL scanner tool to check your AD ACLs/permissions
http://blogs.technet.com/b/pfesweplat/archive/2013/05/13/permissions-in-ad-lost-control.aspx

Check workstations and policies to see who has admin rights on workstations.

Lastly do you allow remote access (VPN/Direct Access/Web Apps, etc).  Make sure any accounts the admin had on any of those devices are disabled.   Spot check the devices for any accounts that don't look right.

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
In addition first of all users should be not added to domain admin groups for security reasons.If there are multiple users still added I will recommend to remove the same.

As other suggested you need to look for script to check which object was created by userid in question.Also remove the user from default admin group first as already suggested.

If you want to delegate certain activity to couple of users in AD that fine and the same can be achived by delegating control instead of adding the user to admin group.

How to Delegate Basic Server Administration To Junior Administrators  http://support.microsoft.com/kb/555986

Best Practices for Delegating Active Directory Administration  http://www.microsoft.com/en-us/download/details.aspx?

You can also install RSAT(Win7) and adminpak(WinXP) to manage the delegated control no need to login to DC.

You should also enable auditing to track the activities caried ot by these users.In order to find out changes, creation or deletion events, you must keep the “Account Management” auditing enabled.

Apart from the auditing, you can use third party tools like Quest and Ntewrix to find out WHO changed WHAT, WHEN, and WHERE to list additions, deletions, and modifications made to Active Directory users, groups, computers, OUs, group memberships.
 
NetWrix tool : http://www.netwrix.com/active_directory_change_reporting_freeware.html
Quest: http://www.quest.com/changeauditor-for-active-directory/

How to View or Delete Active Directory Delegated Permissions
http://social.technet.microsoft.com/wiki/contents/articles/6477.how-to-view-or-delete-active-directory-delegated-permissions.aspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.