Re: Auditing AD Groups

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Paul Bergson [MVP-DS]" <pbbergs@xxxxxxxxxxxxxxx>
Date: Mon, 6 Apr 2009 07:33:41 -0500

As you are beginning to find out there is no easy way this can be run. The best course of action is having a good plan on naming conventions and don't hand out access via user names. Think about the millions of files on each server/workstation and then imagine how quickly these are added and deleted. Ther is really no way any process could possibly track all these changes in even a moderately sized organization.

What we do is we have a SAN that has an organized list of shares, each of those shares has its own ou. Within the shares there are root folders (1000's) each has its own group name with an appended Admin/Users/Read Only applied to it. So we know exactly at this root level where permissions are set. If a department wants to start to be more creative we give them the admin ability to change below this root and if they run into trouble we will reset back to the original level we initially built. There are very few who opt out of this and it helps to control access as well as know who has access to what. Its just a thought but maybe somethingto start think about, which is control via layout and documentation so you don't have to go back and guess who has access to what.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"H_Slick" <HSlick@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A6ACB7EC-1A23-43B5-9698-385CD9671181@xxxxxxxxxxxxxxxx

Over a period of time we have created a number of Active Directory Groups and
used them throughout our servers farm to access various resources (Terminal
services, file sharing, etc.) Is there a tool that can audit these Active
Directory Groups to determine where (the servers) they are used and what they
are used for?

Thank you
Harry

References:
- Auditing AD Groups
  - From: H_Slick

Prev by Date: Re: Different Domains in the Same Subnet
Next by Date: Re: Delegation of the OU administration to the user
Previous by thread: Re: Auditing AD Groups
Next by thread: Re: Auditing AD Groups
Index(es):
- Date
- Thread

Relevant Pages

Re: Restricting access to a web server by IP
... > remote control clients, etc - we remotely ... > The agrument against is that mpst vulnerabilities seem to come through ... > servers, and blocking access to all IPs accept those on the allowed list - ...
(comp.security.misc)
Re: Restricting access to a web server by IP
... > remote control clients, etc - we remotely ... > The agrument against is that mpst vulnerabilities seem to come through ... > servers, and blocking access to all IPs accept those on the allowed list - ...
(comp.security.firewalls)
Re: Restricting access to a web server by IP
... > remote control clients, etc - we remotely ... > The agrument against is that mpst vulnerabilities seem to come through ... > servers, and blocking access to all IPs accept those on the allowed list - ...
(alt.computer.security)
Re: Forest to Child -- Permissions
... My account can login to all the DCs and has full administrator priv. ... first DC in the root. ... the member servers only ... never happen unless some admin has been mucking about. ...
(microsoft.public.windows.server.dns)
Re: United States Says No! Internet is Ours!
... > "The internet is controlled to a large extent by the 'root servers'; ... the set of root name servers. ... > make an annual extortion payment required by ICANN which goes to fund ... > ICANN _could_ have written contracts for users with some protections ...
(comp.dcom.telecom)