| Author | Messages | |
mish
Posts:2
 | | 09/02/2010 7:17 PM |
|
Hi All,
How can I use adfind to generate a report showing entire AD groups and associated rights. For example Backup Operators User group has the following user rights: Backup Files, Shutdown the system etc.
Thanks in Advance.
mish
| | | |
| skradel
Posts:177
| | 09/02/2010 7:54 PM |
| These user rights are not stored in the directory per se, although
some of them might be pushed to clients via GPO. I'm not aware of
anything that will analyze the GPOs at this level in conjunction with
local machine-specific, unmanaged settings.
--Steve
On Thu, Sep 2, 2010 at 2:15 PM, v-11mish v-11mish <v-11mish@hotmail.com> wrote:
> Hi All,
>
> How can I use adfind to generate a report showing entire AD groups and
> associated rights. For example Backup Operators User group has the following
> user rights: Backup Files, Shutdown the system etc.
>
> Thanks in Advance.
>
> mish
>
| | | |
| listmail
Posts:822
| | 09/02/2010 9:10 PM |
| You can't. That info isn't in AD.
joe
--
O'Reilly Active Directory Fourth Edition -
<http://www.joeware.net/win/ad4e.htm> http://www.joeware.net/win/ad4e.htm
Blog: <http://blog.joeware.net> http://blog.joeware.net
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of v-11mish v-11mish
Sent: Thursday, September 02, 2010 2:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Using ADFIND to show groups and associated rights
Hi All,
How can I use adfind to generate a report showing entire AD groups and
associated rights. For example Backup Operators User group has the following
user rights: Backup Files, Shutdown the system etc.
Thanks in Advance.
mish
| | | |
| mish
Posts:2
| | 09/02/2010 9:51 PM |
|
Thanks Steve and Joe. So for auditing purposes if one wanted to know what would be the effective rights if a user were placed in a group, this would be impossible? Because there could be a group that could be given higher privilidged right when they dont require it.
Thanks,
mish
From: listmail@joeware.net
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Using ADFIND to show groups and associated rights
Date: Thu, 2 Sep 2010 16:08:38 -0400
You can’t. That info isn’t in AD.
joe
--
O'Reilly Active Directory Fourth Edition - http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of v-11mish v-11mish
Sent: Thursday, September 02, 2010 2:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Using ADFIND to show groups and associated rights
Hi All,
How can I use adfind to generate a report showing entire AD groups and associated rights. For example Backup Operators User group has the following user rights: Backup Files, Shutdown the system etc.
Thanks in Advance.
mish
| | | |
| skradel
Posts:177
| | 09/02/2010 11:33 PM |
| It's certainly not impossible, but would require you to inventory the
user rights assignments on the target machine(s) and compare against
all the SIDs associated with adding a user to a security group. This
would be a somewhat substantial amount of work but certainly valuable
to know. Hmmm...
On Thu, Sep 2, 2010 at 4:49 PM, v-11mish v-11mish <v-11mish@hotmail.com> wrote:
> Thanks Steve and Joe. So for auditing purposes if one wanted to know what
> would be the effective rights if a user were placed in a group, this would
> be impossible? Because there could be a group that could be given higher
> privilidged right when they dont require it.
>
> Thanks,
>
> mish
> ________________________________
> From: listmail@joeware.net
> To: activedir@mail.activedir.org
> Subject: RE: [ActiveDir] Using ADFIND to show groups and associated rights
> Date: Thu, 2 Sep 2010 16:08:38 -0400
>
> You can’t. That info isn’t in AD.
>
>
>
> joe
>
>
>
> --
>
> O'Reilly Active Directory Fourth Edition -
> http://www.joeware.net/win/ad4e.htm
>
> Blog: http://blog.joeware.net
>
>
>
>
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of v-11mish v-11mish
> Sent: Thursday, September 02, 2010 2:15 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] Using ADFIND to show groups and associated rights
>
>
>
> Hi All,
>
> How can I use adfind to generate a report showing entire AD groups and
> associated rights. For example Backup Operators User group has the following
> user rights: Backup Files, Shutdown the system etc.
>
> Thanks in Advance.
>
> mish
| | | |
| listmail
Posts:822
| | 09/03/2010 6:16 AM |
| Full understanding of rights allocation has always been a tricky and utterly
non-trivial subject because it reaches into all sorts of things including
applications etc. A user could be placed in a group called
StevesFishingBuddies and that group could have Remote Shutdown rights on
some given member server in the environment and there is no centralized
collection of that info. Further that group could be given full rights over
the corporate SQL Server system and again, no centralized view of that. On
top of that there are numerous ACLs, etc buried all over a system that could
be allocated. Someone could assign that group to modify the registry entry
hklm\system\currentcontrolset\services\ldap\ldapclientintegrity on some
random machine and they could change that value day in and day out assuming
they knew they had the permission and the desire to muck with it. The
Windows security system is extremely flexible but due to that flexibility,
you will have some measure of uncertainty unfortunately.
There are allegedly tools out there that will give you the global holistic
view but I have never sat down and truly dug into them to see how in depth
they really are but any tool that says it will show you "everything" I have
great reservations about because "everything" is a pretty gigantic claim and
is more likely a "sales everything" versus a "true everything".
The *best* solution to this to date is proper process and controls and
documentation. You know what permissions a group has because you have
defined what that group *should* have and you trust your personnel enough to
have not gone out and done something else. Now the next thing I am going to
say is going to be terribly politically incorrect but it is the reality of
the situation. As you "best shore" your work force more and more, as you
push more and more work towards unskilled, untrained, lower skilled, lower
trained, cheaper resources, your expectation of adherence to process needs
to go down and your expectation of auditing what is deployed needs to go up.
I didn't make this up, I didn't cause this problem, I am just standing up
and saying this is a problem, the reality is you need to be aware of it and
take note of it and hopefully design your solutions with that in mind. I
have seen situations where three different people followed the same
checklist to build servers and none of the three ended up with the same
result and none of the three had the correct result and this was not due to
any failure in the checklist. This means that more and more everything needs
to be scripted and automated. Failure to do so will result in inconsistency
and issues that will make stability, availability, and functionality very
inconsistent and I won't even go into the issues with troubleshooting when
you don't know where you are even starting because you don't have a solid
core base to start with.
In the long run, it would be awesome to see some sort of system where if a
permission was assigned to a security principal in any system or application
or anything else, that somehow was tied back to and reflected on the
security principal. I just don't see it happening with Windows though, the
model doesn't really support it.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of v-11mish v-11mish
Sent: Thursday, September 02, 2010 4:50 PM
To: ActiveDir
Subject: RE: [ActiveDir] Using ADFIND to show groups and associated rights
Thanks Steve and Joe. So for auditing purposes if one wanted to know what
would be the effective rights if a user were placed in a group, this would
be impossible? Because there could be a group that could be given higher
privilidged right when they dont require it.
Thanks,
mish
_____
From: listmail@joeware.net
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Using ADFIND to show groups and associated rights
Date: Thu, 2 Sep 2010 16:08:38 -0400
You can't. That info isn't in AD.
joe
--
O'Reilly Active Directory Fourth Edition -
http://www.joeware.net/win/ad4e.htm
Blog: http://blog.joeware.net <http://blog.joeware.net/>
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of v-11mish v-11mish
Sent: Thursday, September 02, 2010 2:15 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Using ADFIND to show groups and associated rights
Hi All,
How can I use adfind to generate a report showing entire AD groups and
associated rights. For example Backup Operators User group has the following
user rights: Backup Files, Shutdown the system etc.
Thanks in Advance.
mish
| | | |
|
|