How to Audit Security Permissions and Access Rights in Active Directory
Active Directory is the foundation of security and IT management in Windows Server based
IT infrastructures. It stores and protects all the building blocks of security, including the
user accounts used for authentication, the security groups used for authorization to all resources
stored on all servers, and auditing of all identity and access management tasks. In addition,
it is the focal point of administrative delegation in Windows based environments.
As a result, a substantial amount of access provisioning is done in Active Directory
to fulfill business requirements such as the following:
1. Delegation of administrative duties to fulfill IT management needs and gain cost efficiencies
2. Provisioning of access to group owners and managers for project specific group management
3. Provisioning of access to line-of-business and other service accounts of AD integrated services
4. Provisioning of access for in-house or vendor supplied AD integrated applications
5. Provisioning of access for security/other services that assist in identity/access management
In most AD environments, access provisioning has been an ongoing activity for years,
and as a result, in most deployments, substantial amounts of access provisioning have been
done, and thus there are literally thousands of permissions granting varying levels of access
to numerous individuals, groups and service accounts.
The Need to Audit Active Directory Permissions
The need to audit Active Directory (AD) permissions is a very important and a very common
need for organizations. It is very common, because in all organizations, various stakeholders
have a need to know things like:
1. Who has what access in AD?
2. Who has what access on specific objects in AD?
3. Who can perform what operations on specific AD OUs?
4. Who is delegated what administrative tasks, where in AD, and how?
The need to have answers to these questions is driven by various aspects of IT and security management such as:
1. IT audits driven by internal needs and/or regulatory compliance needs
2. Security risk assessment and mitigation activities aimed at managing risk
3. Security vulnerability assessment and penetration testing results
In all such cases, the one commonality is the need to know who has what access in AD,
and that one need can be fulfilled by performing an Active Directory access audit.
How to Audit Active Directory Permissions
The need to audit Active Directory permissions is thus a common need for the reasons
stated above. In most organizations, numerous IT personnel, in various roles, such as Domain
Admins, Delegated Admins, IT Security Analysts, IT Auditors, IT Managers, Application Developers
and other all at some point or the other have a need to find out who has what access in Active
Directory, either on a single Active Directory object, or in an OU of objects, or across an
entire Active Directory domain.
To fulfill this need, most IT personnel turn to performing an audit of Active Directory
permissions, with the hope of being able to find out who has what access in AD, on one or more
objects, and thus they attempt to audit Active Directory permissions to fulfill this vital need.
However, there is a very important point that most IT personnel often inadvertently miss,
which is that what they actually need to find out is not who has what permissions in Active
Directory, but who has what effective permissions in Active Directory.
As a result, they continue to invest substantial time and effort in trying to audit AD
permissions via command-line tools, scripts and other means. In doing so, they usually not
only end up losing substantial time and effort, but more importantly, they end up with inaccurate
data, reliance upon which can lead to incorrect access decisions, and this can result in the
introduction of unauthorized access in AD, which can pose a serious risk to their security.
The reason that one needs to know who has what effective permissions in AD and not who
has what permissions in AD, is that it is effective permissions/access that impacts what access
a user actually has in AD.