cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Newcomer II

Auditing Active Directory Privileged Users

Hello all!

 

An organization that I work with has a domain administrator that is departing and concerns have been raised surrounding potential remnant accounts.  The DA is leaving on good terms, but has been entrenched for an extended period of time with little to no oversight of his activities.

 

Does anyone have any knowledge of a tool, whitepaper, etc that would assist me in guiding the replacement administrator through ensuring any lingering privileged accounts are identified? 

 

Thanks!

7 Replies
Highlighted
Newcomer III

Re: Auditing Active Directory Privileged Users

Hello George,

 

Unfortunately, I'm not sure that there is a "tool" for this.

Let me clear it up a bit. What exactly do you use your domain for?

If it's used for workstations and servers authentication, I would check membership of groups: Domain Admins, Enterprise Admins, Schema Admins, Hyper-V Administrators (the full list of the default domain groups is here, but not all of them are privileged and have to be checked). Then I'd look at GPO to understand if there is a policy defining local admins on workstations/servers. If the policy or policies exist I'd check the membership of this groups.

On the other hand, if you have any services using AD as a central authentication point (like Share Point, Atlassian suit, etc.), you have to explore this services in more details to get names of privileged accounts and groups.

You have to do the same if you're using AD as a RADIUS server for your network equipment.

 

Hope it'll help a little.

 

Kind regards,

Vitaly

Highlighted
Viewer III

Re: Auditing Active Directory Privileged Users

I am having similar issues -  there has been created other "custom groups" that may - most likely have almost domain Admin privileges.  I am not a domain Admin so it is difficult to find out how "powerful" these groups are.

i have been searching for s LDAP or Powershell script to extract the privileges of these groups but been striking out.  I have seen some examples but I cannot get them to execute.  I am not an AD expert - did do AD administration over 10 years ago and of course things have changed.

if I can get a script to work - I will post it

Highlighted
Community Champion

Re: Auditing Active Directory Privileged Users

 

@piperlester, ManageEngine may offer solutions to cater to this. (I've not utilized it yet, so I can't vouch for it; coordinate with the support to find out if it's what you're looking for.)

 

If you're working with an AD infrastructure that wasn't done properly /documented, you may have a hard time, and would want to start by getting a list of the privileged accounts using PowerShell.

 

Once you've gotten the list, either audit the accounts specifically, otherwise set up auditing for privileged login events.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Highlighted
Community Champion

Re: Auditing Active Directory Privileged Users

I'd think that you could call Microsoft support and have them give you some
suggestions for the best suite of tools that can assist you with this. I
have not worked in that space for some time, so the remedies I knew of, I
won't post here.

In addition, you could just as well ask this question in a Microsoft forum
and I'm sure you'd get a myriad of answers.
Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
Highlighted
Newcomer II

Re: Auditing Active Directory Privileged Users

Just to close the loop on this.  I have found a few solutions that offer this functionality, and no clear path to completing a full audit with Powershell. 

 

So far, my leading candidate is Paramount Defenses' AD Privileged Access Auditor tool, but I have not tested it.  I'm hopeful for budget in early 2020 and will post an update with which tool I end up using.

Viewer II

Re: Auditing Active Directory Privileged Users

A good tool that I use is AD Info - http://www.cjwdev.co.uk/Software/ADReportingTool/Info.html

It is fast easy and cost-effective.  it is a simple way of pulling quick reports without running PowerShell scripts.  It gives you quite a bit of information that is relevant to AD.

 

I have never used Paramount Defenses, but the screens and information from what I see look similar.

 

Highlighted
Community Champion

Re: Auditing Active Directory Privileged Users

A client within New Zealand has been using Quest for this very purpose for some years, and is very happy with this solution:  https://www.quest.com/solutions/active-directory/

 

You may want to check it out.

 

Regards

 

Caute_cautim

Tags (1)