Monday, 11 August 2014

Active Directory (AD) delegation is certainly one of the most critical aspects of any organizations' IT infrastructure. By delegating administration, you as administrator grant users or groups only the permissions they necessitate without adding users to privileged groups (e.g., Account Operators, Domain Admins). In fact, one cannot ignore the fact that Active Directory delegation helps in optimizing the productivity of the IT department by facilitating non-administrative users conduct definite administrative activities in Active Directory. In fact, it helps in enhancing the safety of the environment or even decentralizes Active Directory administration. The simplest way to accomplish delegation is by using the Delegation of Control Wizard in the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. 

The delegation of rights on organizational unit (OU) containers of objects (and by extension to all of the objects in that OU) is an extremely powerful method of granting the suitable rights to execute explicit operations to specific individuals or groups. Presuming that delegation has been done through the Delegation Wizard, if you wish to inspect the permissions granted on the higher level container could help you view and find out the users/groups that have granted permissions to operate on that container and any object contained within it. 

Now to view the delegate permissions and determine which users have got rights on a specific object in Active Directory, you need to follow the steps mentioned below: 

  1. First of all, open the Active Directory console
  2. Navigate down to the desired object and right click on it, then select Properties
  3.  From the object's Properties dialog, choose the Security tab
  4. Click on Advanced tab, and then select the Permissions tab
  5. Double-click on any object you desire or  want to inspect and view the full list of permissions specified for that object
Determining the entire set of all user rights on all objects in Active Directory can also be done by using automation to recover the list of all users, groups, and nested groups and their specified attributes and ACLs on objects within Active Directory. After this, you could very well filter the list on whatsoever selection criteria you prefer.


 Limitation of Manual Approach

Delegation of administration is certainly an impressive way of referring to establishing access control lists on organizational units and accounts in Active Directory, but at the same time it has its own limitation. In fact, the key drawback of the native Active Directory delegation model is the shortage of the ability to grant user access based on the job function.

Adding to that, in order to provide the permissions it gets essential for administrators manually assign numerous sets of various rights across a large set of objects in Active Directory. Adding to that, situations do arise where it gets nearly impossible to withdraw all unnecessary privileges from the users whose responsibilities have changed. Such an approach allows much room for errors.

Conclusion

So while delegation is unquestionably very beneficial, it’s also turns out to be a quick way to clutter up directory permissions, make auditing a bit difficult, and make overall permissions management a real time-consuming procedure. But at the end of the day, the Delegation of Control Wizard facilitates you with one such facility where you don’t have to search for all of the permissions essential to handle whatever task you are delegating. The Wizard helps in ensuring that permission inheritance gets set appropriately, so that things like sub-organizational units can be included in delegation, if desired.

Thursday, 7 August 2014

Users logging on or off into their domain computers is a very routine activity that occurs in any enterprise. However, just like any other activity this might look a simple Active Directory event but administrators could very well make use of this valuable data for different audit, compliance and operational needs. There are occasions when an organization looks out for audit details on User Logons and Logoffs for various operational requirements such as:
  • Find out users who accessed or made an attempt to access Workstations or Domain controllers through a remote network computer.
  • Determine peak login times for specific user in the domain.
In addition, there are many more practical demands in an Active Directory network that necessitate audit information on domain account logons. An irregularity in the usage of the network by users is always a big concern for administrators. A failed logon attempt is a measure to spot and identify an indiscretion.

Automated and complete tracking user activity is never an easy job, but at the same time it is very important. In fact, these days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.

The steps you need to follow to track AD user logon and logoff activity has been explained below:

Set up a Share on the network

First of all, create and share a folder with full access permissions for everyone, as well as full NTFS permissions for users which you want to log. 

It is always suggested to make a hidden share \\server\share$\.

To make you understand, we are making use of two different folders in shared location, one for computers \\server\share$\Computers\ and another for users \\server\share$\Users\.

Create the batch files

  • Create logon.bat with the contents below and put it in the \\server\share$\logon.bat. 
  • To achieve this task, run the following commands:

        ver >>\\server\share$\Computers\%computername%.txt

        This command returns OS version and writes it to computer_name.txt on your share.

        echo %username% logged on %date% - %time% >>\\server\share$\Computers\%computername%.txt

        This command writes username of logged on user provided with the date when the script was run and writes it to computer_name.txt on your share.

        ipconfig /all |findstr Address >>\\server\share$\Computers\%computername%.txt \\server\share$\Users\%username%.txt

        This command returns IP and Mac addresses of network connections and finally writes them to computer_name.txt on your share.

        echo %computername% logged on %date% - %time% >>\\server\share$\Users\%username%.txt
        ipconfig /all |findstr Address >>\\server\share$\Users\%username%.txt

        These commands write almost entire info into user_name.txt files \\server\share$\users.

  •  Create logoff.bat along with the contents shown below and put it in the \\server\share$\logoff.bat

    echo %username% logged off %date% - %time% >>\\server\share$\Computers\%computername%.txtecho %computername% logged off %date% - %time% >>\\server\share$\Users\%username%.txt

Add the batch files to group policy

Now, the next step you require to follow is make run those .bat files every time users logon and logoff. To achieve this, the steps you require to follow are mentioned below:
  1. Open Group Policy Management, Create and Link GPO to the OU where targeted users exist in.   
  2. Now right click on that GPO and select Edit.
  3. Navigate to User Configuration\Windows Settings\Scripts Logon/Logoff double click on Logon and click on Add.
  4. Browse for logon.bat (\\server\share$\logon.bat) and click OK.
Now open Logoff click Add and navigate for logoff.bat (\\server\share$\logoff.bat) and click OK.

Finally, once you follow all the steps mentioned above, you will get a log file detailing when and where each user Logs On and Logs Off.

Limitations 

However, performing a track operation through a native active directory manual method has got its own limitations. Every logon detail is constantly logged in the security logs of the Active Directory Domain Controllers (DCs). Now, at times this data logged in the native Active Directory Domain Controllers
  • Necessitates expertise to understand as it gets difficult to understand definite event numbers and their relationship to a logon action.
  • Gets huge in volume. Every logon activity on / by any Active Directory object is constantly logged in the Domain Controller and after certain time this event log data piles up to a huge volume.
But, now you could very overcome such limitations with the help of a third party Active Directory auditor like LepideAuditor for Active Directory. The utility could provide you with an ideal solution to f audit specific logon events, current and past logon activity and lists all logon failures. It even allows you to generate specific reports based on defined objects, classes, operations and save them in CSV/PDF/MHT format. It performs real time auditing eliminating the requirement to collect changes manually.

Summary

These days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.



Wednesday, 6 August 2014

All objects in Active Directory (e.g., users, groups, OUs and group policy objects) are structured as per the AD’s schema of object classes and properties. Active Directory objects can be fairly complex due to the nature of its associated attributes. If even one attribute gets omitted or disturbed, then other network applications or systems could fail which rely on that particular attribute. Adding to that every time an object is changed, different events are recorded and therefore it is important to find all the events that are related to changes. 

Enabling audit on Active Directory objects is must. However, you got to note that audit settings vary slightly in various versions of Windows. Therefore, in case if you have a mixed environment, just be double sure to consult each version’s documentation for appropriate audit settings. 

Windows Server 2008 Auditing Change

Before Windows 2008 Server, auditing could just allow you to monitor that a value has changed. It would not tell you what the value was before the change was performed. In fact, auditing on Windows Server 2003 R2 doesn’t actually provide any decent information to make any use of the events which are recorded in the security event log. 

But, things are lot more different in Windows Server 2008. Windows Server 2008 facilitates administrator with the ability to record changes to AD objects. You could very well know about what the value of the object was, and what it is now. In fact, in Windows Server 2008 the auditing policy is configurable for four subcategories:
  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication
Enabling Auditing changes to AD Objects

Now, one can very well enable auditing on single object, or OU level, or Domain level.
 
Following are the steps to enable Domain level auditing.

1. Press the key 'Window' + 'R'
2. Type the command dsa.msc, and click OK.
Note: Skip the above steps by clicking Start -->Administrative Tools -->Active Directory Users and Computers.
3. Click on View and make sure that Advanced Features is enabled. In case, it is not enabled then click on it to place a check next to it.
 
4. Right click on any of the Organizational Units you want to audit. In our example- let us consider that we are going to audit Users, and after this click on Properties section.
5. Click the Security tab.
 Note: If the Security tab is not available, just try to ensure that the option Advanced Features is checked under the View menu.
6. Click on Advanced.
7. Click the Auditing tab, then click Add.
8. Under Enter the object name to select:, type in Authenticated Users and click Ok.
In the next window under Apply onto:, select Descendant User Objects. Under Access, check the box next to Write all properties and click Ok.
9. Click Ok until you are out of any dialog boxes.

This way you can very well configure the change auditing for complete Active Directory domain. In fact, you could see the Security event logs for anything the changes happened in every AD objects. 

Nevertheless, you got to take care of one important point. Auditing can actually be very time consuming and too many audit entries could ultimately affect Your DC performance. It should always be compromise between actual requirement of detailed auditing information and performance of your DC. Moreover, as the audit data remains on the domain controllers, it may just not always be used as a reliable audit trail of administrator actions because administrators can erase or modify any file on the system. In addition, Windows Server 2008 does not provide any real reporting or analysis capabilities for the Windows security log. 

In order to safe-guard Active Directory, real-time monitoring is must as it could help you to identify the high impact, suspicious or prohibited changes, and ideal way to achieve this by taking help of third party Active Directory auditor such as LepideAuditor for Active Directory software. The tool allows you to perform real time monitoring and get access to reports to monitor the specific objects. 

Summary

Enabling audit on Active Directory objects is must. Windows Server 2008 provides some native functionality for auditing changes, but in spite of that significant gaps and limitations remain. To safe-guard Active Directory, real-time monitoring is must and best way to do it is by using third party Active Directory auditing tool.

Thursday, 30 January 2014


The importance of auditing the Active Directory can be proved with a single fact that doing this will help to maintain the security and integrity of the IT infrastructure in an organization. However, auditing using the traditional Windows native tools is a time consuming and difficult process. It becomes more cumbersome when the auditor has to deal with the difficult-to-understand event details.