Monday, 11 August 2014
On 03:20 by Unknown in ad delegate control, ad view delegate permissions, view delegate permissions No comments
Active Directory (AD)
delegation is certainly one of the most critical aspects of any
organizations' IT infrastructure. By delegating administration, you
as administrator grant users or groups only the permissions they
necessitate without adding users to privileged groups (e.g., Account
Operators, Domain Admins). In fact, one cannot ignore the fact that
Active Directory delegation helps in
optimizing the productivity of the IT department by facilitating
non-administrative users conduct definite administrative activities
in Active Directory. In fact, it helps in enhancing the safety of the
environment or even decentralizes Active Directory administration.
The simplest way to accomplish delegation is by using the Delegation
of Control Wizard in the Microsoft Management Console (MMC) Active
Directory Users and Computers snap-in.
The delegation of rights
on organizational unit (OU) containers of objects (and by extension
to all of the objects in that OU) is an extremely powerful method of
granting the suitable rights to execute explicit operations to
specific individuals or groups. Presuming that delegation has been
done through the Delegation Wizard, if you wish to inspect the
permissions granted on the higher level container could help you view
and find out the users/groups that have granted permissions to
operate on that container and any object contained within it.
Now to view the delegate
permissions and determine which users have got rights on a specific
object in Active Directory, you need to follow the steps mentioned
below:
- First of all, open the Active Directory console
- Navigate down to the desired object and right click on it, then select Properties
- From the object's Properties dialog, choose the Security tab
- Click on Advanced tab, and then select the Permissions tab
- Double-click on any object you desire or want to inspect and view the full list of permissions specified for that object
Determining the entire
set of all user rights on all objects in Active Directory can also be
done by using automation to recover the list of all users, groups,
and nested groups and their specified attributes and ACLs on objects
within Active Directory. After this, you could very well filter the
list on whatsoever selection criteria you prefer.
Limitation of Manual Approach
Delegation of administration is certainly an impressive way of referring to establishing access control lists on organizational units and accounts in Active Directory, but at the same time it has its own limitation. In fact, the key drawback of the native Active Directory delegation model is the shortage of the ability to grant user access based on the job function.
Adding to that, in order to provide the permissions it gets essential for administrators manually assign numerous sets of various rights across a large set of objects in Active Directory. Adding to that, situations do arise where it gets nearly impossible to withdraw all unnecessary privileges from the users whose responsibilities have changed. Such an approach allows much room for errors.
Conclusion
So while delegation is unquestionably very beneficial, it’s also turns out to be a quick way to clutter up directory permissions, make auditing a bit difficult, and make overall permissions management a real time-consuming procedure. But at the end of the day, the Delegation of Control Wizard facilitates you with one such facility where you don’t have to search for all of the permissions essential to handle whatever task you are delegating. The Wizard helps in ensuring that permission inheritance gets set appropriately, so that things like sub-organizational units can be included in delegation, if desired.
Thursday, 7 August 2014
Users logging on or off into their domain computers is a very routine activity that occurs in any enterprise. However, just like any other activity this might look a simple Active Directory event but administrators could very well make use of this valuable data for different audit, compliance and operational needs. There are occasions when an organization looks out for audit details on User Logons and Logoffs for various operational requirements such as:
Automated and complete tracking user activity is never an easy job, but at the same time it is very important. In fact, these days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.
The steps you need to follow to track AD user logon and logoff activity has been explained below:
Set up a Share on the network
Create the batch files
Add the batch files to group policy
Now, the next step you require to follow is make run those .bat files every time users logon and logoff. To achieve this, the steps you require to follow are mentioned below:
Finally, once you follow all the steps mentioned above, you will get a log file detailing when and where each user Logs On and Logs Off.
Limitations
However, performing a track operation through a native active directory manual method has got its own limitations. Every logon detail is constantly logged in the security logs of the Active Directory Domain Controllers (DCs). Now, at times this data logged in the native Active Directory Domain Controllers
Summary
These days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.
- Find out users who accessed or made an attempt to access Workstations or Domain controllers through a remote network computer.
- Determine peak login times for specific user in the domain.
Automated and complete tracking user activity is never an easy job, but at the same time it is very important. In fact, these days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.
The steps you need to follow to track AD user logon and logoff activity has been explained below:
Set up a Share on the network
First of all, create and
share a folder with full access permissions for everyone, as well as
full NTFS permissions for users which you want to log.
It is always suggested to make a hidden share \\server\share$\.
To make you understand, we are making use of two different folders in shared location, one for computers \\server\share$\Computers\ and another for users \\server\share$\Users\.
To make you understand, we are making use of two different folders in shared location, one for computers \\server\share$\Computers\ and another for users \\server\share$\Users\.
Create the batch files
- Create logon.bat with the contents below and put it in the \\server\share$\logon.bat. To achieve this task, run the following commands:
- Create logoff.bat along with the contents shown below and put it in the \\server\share$\logoff.bat
echo %username% logged off %date% - %time% >>\\server\share$\Computers\%computername%.txtecho %computername% logged off %date% - %time% >>\\server\share$\Users\%username%.txt
ver >>\\server\share$\Computers\%computername%.txt
This command returns OS version and writes it to computer_name.txt on your share.
echo %username% logged on %date% - %time% >>\\server\share$\Computers\%computername%.txt
This command writes username of logged on user provided with the date when the script was run and writes it to computer_name.txt on your share.
ipconfig /all |findstr Address >>\\server\share$\Computers\%computername%.txt \\server\share$\Users\%username%.txt
This command returns IP and Mac addresses of network connections and finally writes them to computer_name.txt on your share.
echo %computername% logged on %date% - %time% >>\\server\share$\Users\%username%.txt
ipconfig /all |findstr Address >>\\server\share$\Users\%username%.txt
These commands write almost entire info into user_name.txt files \\server\share$\users.
Add the batch files to group policy
Now, the next step you require to follow is make run those .bat files every time users logon and logoff. To achieve this, the steps you require to follow are mentioned below:
- Open Group Policy Management, Create and Link GPO to the OU where targeted users exist in.
- Now right click on that GPO and select Edit.
- Navigate to User Configuration\Windows Settings\Scripts Logon/Logoff double click on Logon and click on Add.
- Browse for logon.bat (\\server\share$\logon.bat) and click OK.
Finally, once you follow all the steps mentioned above, you will get a log file detailing when and where each user Logs On and Logs Off.
Limitations
However, performing a track operation through a native active directory manual method has got its own limitations. Every logon detail is constantly logged in the security logs of the Active Directory Domain Controllers (DCs). Now, at times this data logged in the native Active Directory Domain Controllers
- Necessitates expertise to understand as it gets difficult to understand definite event numbers and their relationship to a logon action.
- Gets huge in volume. Every logon activity on / by any Active Directory object is constantly logged in the Domain Controller and after certain time this event log data piles up to a huge volume.
Summary
These days the propagation of compliance regulations and the heightening security apprehensions are forcing many organizations to track every single AD user logon and logoff activity. But, the key question is how can you track user logon information? The answer to this question lies on the successful implementation of user logon logoff scripts in Group Policy.
Wednesday, 6 August 2014
On 23:52 by Unknown in auditing active directory changes, Auditing Changes to AD Objects No comments
All objects in Active
Directory (e.g., users, groups, OUs and group policy objects) are
structured as per the AD’s schema of object classes and properties.
Active Directory objects can be fairly complex due to the nature of
its associated attributes. If even one attribute gets omitted or
disturbed, then other network applications or systems could fail
which rely on that particular attribute. Adding to that every time an
object is changed, different events are recorded and therefore it is
important to find all the events that are related to changes.
Enabling audit on Active
Directory objects is must. However, you got to note that audit
settings vary slightly in various versions of Windows. Therefore, in
case if you have a mixed environment, just be double sure to consult
each version’s documentation for appropriate audit settings.
Windows Server 2008 Auditing Change
Before Windows 2008 Server, auditing could just allow you to monitor that a value has
changed. It would not tell you what the value was before the change
was performed. In fact, auditing on Windows Server 2003 R2 doesn’t
actually provide any decent information to make any use of the events
which are recorded in the security event log.
But, things are lot more
different in Windows Server 2008. Windows Server 2008 facilitates
administrator with the ability to record changes to AD objects. You
could very well know about what the value of the object was, and what
it is now. In fact, in Windows Server 2008 the auditing policy is
configurable for four subcategories:
- Directory Service Access
- Directory Service Changes
- Directory Service Replication
- Detailed Directory Service Replication
Now, one can very well
enable auditing on single object, or OU level, or Domain level.
Following are the steps
to enable Domain level auditing.
1. Press the key
'Window' + 'R'
2. Type the command dsa.msc,
and click OK.
Note: Skip the above steps by clicking Start -->Administrative Tools -->Active Directory Users and Computers.
Note: Skip the above steps by clicking Start -->Administrative Tools -->Active Directory Users and Computers.
3. Click on View and
make sure that Advanced Features is enabled. In
case, it is not enabled then click on it to place a check next to it.
4. Right click on any of the
Organizational Units you want to audit. In our example- let us
consider that we are going to audit Users, and after
this click on Properties section.
5. Click the Security tab.
Note: If the
Security tab is not available, just try to ensure that the
option Advanced Features is checked
under the View menu.
6. Click on Advanced.
7. Click the Auditing
tab, then click Add.
8. Under Enter the object name
to select:, type in Authenticated Users and
click Ok.
In the next window under Apply
onto:, select Descendant User Objects. Under
Access, check the box next to Write all
properties and click Ok.
9. Click Ok until you
are out of any dialog boxes.
This way you can very
well configure the change auditing for complete Active Directory
domain. In fact, you could see the Security event logs for anything
the changes happened in every AD objects.
Nevertheless, you got to
take care of one important point. Auditing can actually be very time
consuming and too many audit entries could ultimately affect Your DC
performance. It should always be compromise between actual
requirement of detailed auditing information and performance of your
DC. Moreover, as the audit data remains on the domain controllers, it
may just not always be used as a reliable audit trail of
administrator actions because administrators can erase or modify any
file on the system. In addition, Windows Server 2008 does not
provide any real reporting or analysis capabilities for the Windows
security log.
In order to safe-guard
Active Directory, real-time monitoring is must as it could help you
to identify the high impact, suspicious or prohibited changes, and
ideal way to achieve this by taking help of third party Active
Directory auditor such as LepideAuditor for Active Directory
software. The tool allows you to perform real time monitoring and get
access to reports to monitor the specific objects.
Summary
Enabling audit on Active
Directory objects is must. Windows Server 2008 provides some native
functionality for auditing changes, but in spite of that significant
gaps and limitations remain. To safe-guard Active Directory,
real-time monitoring is must and best way to do it is by using third
party Active Directory auditing tool.
Subscribe to:
Posts (Atom)
Search
Popular Posts
-
The importance of auditing the Active Directory can be proved with a single fact that doing this will help to maintain th...
-
Active Directory (AD) delegation is certainly one of the most critical aspects of any organizations' IT infrastructure. By delegating ...
-
Are you sleep deprived because of your Active Directory? If yes, then you can easily understand the reason behind it. Active Directory is...
-
All objects in Active Directory (e.g., users, groups, OUs and group policy objects) are structured as per the AD’s schema of object classe...
-
Users logging on or off into their domain computers is a very routine activity that occurs in any enterprise. However, just like any other ...