we wish to do some testing about how well managed our AD is. What we had in mind was to pick a sample of tickets from the helpdesk system to ensure:
Where an AD account was created in the domain - this was properly authorised by the users line manager.
Where a request was logged to add an AD account into a security group - this was properly authorised by the users line manager.
Can you think of any other useful checks in terms of AD changes that should have a proper authorisation, that we can build into our testing? Anything where end users could abuse the process to gain access to information in which they should not be able to. They were the 2 obvious ones but I am open to other ideas.