Hi Guys,
I'm new to Spice Works and I joined because I'm in search of the answer to a seemingly simple security question for which I have not been able to find a good answer yet . I've heard there are 2 million experts on Spice Works so I figured if anyone, one of you guys could help me.
My question is - How to find out / audit who is delegated what access in Active Directory?
The background is that we had an org change in our organization last month, and the our new manager wants a top-down audit of all our systems starting with our Active Directory administration model. Basically, the CIO decided to bring in a non-techie to fill in the shoes of our former IT Security Director, and being non-techie, he's wanting answers in "simple" terms.
(Someone please tell him there's no such thing as "simple" when you're talking AD mgmt!)
So I'm supposed to furnish a list that documents what administrative tasks are delegated in our Active Directory, and to whom they are delegated. For example, he wants to know how many people can create accounts, delete OUs, reset passwords, change group memberships, unlock accounts, etc.
Now, we have a fair amount of delegation done over the years, but no one seems to know exactly who is delegated what, and I'm not sure how to go about figuring this out. I mean, I know, we've about 70 ought admins in all, including delegated admins and our offshore help-desk team, but we've never kept track of what was delegated to whom.
I've looked around a bit, done the usual Google searches, checked Technet and all, but at best I found a bunch of places suggesting using dsacls to find out who has what permissions.
Thing is, we have 1000s of permissions on about 2000 different objects, including user and computer accounts, domain groups, some service connection points, and then our core OUs, so getting a bunch of permissions from dsacls doesn't help other than give a head-ache trying to stare at them and make any sense of techie gibberish.
So how am I supposed to audit who is delegated what admin tasks in our Active Directory?
I figured if anyone knew the answer, it would have to be one of you, so I'm posting this question with a lot of hope.
Hoping you can help.
- Simone
PS: To the chivalrous one who helps me figure this out, beer's on me when you visit the UK!