How to Audit Active Directory Group Memberships

Hello,

In today’s short post, Part 3 of How to Perform Simple Active Directory Audits, we’ll take a quick look at how IT administrators, IT managers and IT and cyber security auditors can easily and instantly audit and enumerate the complete membership of any domain (Active Directory) security group, no matter how large or complicatedly nested its membership might be.

 

 

Domain Security Groups / Active Directory Group Memberships

As you may know, ever since Active Directory was introduced back in 2000, virtually all security groups that are used to provision access to the entirety of an organization’s IT resources across the entire network (i.e. files and folders stored and shared on servers etc.), are all domain security groups that are stored and protected in Active Directory.

Perhaps the most familiar and well-known Active Directory security groups may be the default security groups that reside in every Active Directory domain, such as, but not limited to Enterprise Admins, Domain Admins, Schema Admins, Domain Users, Domain Computers and various other default Active Directory domain security groups.

 

However, in addition to these groups, in almost every Active Directory domain, depending on the organization’s size, there exist hundreds if not thousands of domain security groups, which are used to provide secure (authorized) access to thousands of organizational IT resources that are stored across the network on domain-joined computers (workstations and servers).

For instance, an organization might have an All Employees Group to provision access to various files and folders, or to the company’s internal HR portal for employees. Similarly, there might exist an Executives group, which might contain the domain user accounts of all of the company’s executives (CEO, CIO, CFO etc.). Likewise, there could be a group for a special project that numerous employees may collectively be working on, such as say Project X, so there might be a group called well, perhaps Project X, and this group could be used to provide read and write access to various resources across the network to only members of this group. In this manner, Active Directory domain security groups are used to protect thousands of IT resources across the network.

 

Group Nesting and Nested Group Memberships

Active Directory lets organizations nest Active Directory groups within other Active Directory groups, and many organizations often nest groups to make it easy to manage access.

 

Nested Active Directory Security Groups

 

For example, an organization may have a group called Full-Time Employees (FTEs), a group called Part-Time Employees (PTEs), and a group called All Employees. Now, instead of having to directly make all members of the FTE group and all members of the PTE group members of the All Employees group, the organization could just make the FTE and the PTE group members of the All Employees group, and in doing so would have easily accomplished the objective of making all employees members of the All Employees group.

In this manner, when used correctly, group nesting can be very helpful in making access management easier to manage. However, there can be situations where a group A could be a member of another group B, which could in turn be a member of group C, and group C could be a member of group A, creating what is called a circular nested group membership, which can lead to difficulties when enumerating the complete group membership of group A, B or C. Incidentally, the process of identifying all the members of a group, including by expanding the memberships of any and all nested groups is commonly called flattening a group membership.

Organizations often nest domain security groups, and domain security groups can often contain a fairly large number of domain user accounts, thus making it a little difficult to easily audit the complete flattened membership of an Active Directory domain security group. Incidentally, in addition to domain user accounts, domain computer accounts and domain service accounts can also be members of domain security groups, and domain security group memberships can span trust relationships.

 

How to Easily Audit Active Directory Security Groups

For various reasons, such as to manage access, to provision access, to verify provisioned access, to troubleshoot access-denied issues, to demonstrate regulatory compliance etc., organizational IT personnel often have a need to be able to audit Active Directory domain security groups.

To accomplish this objective, while some IT personnel may rely on manually attempting to determine the membership of an Active Directory domain security group, such as by viewing and analyzing the group’s membership in Active Directory Users and Computers (ADUC), others may attempt to write PowerShell scripts to do the same. The challenge with PowerShell scripts is that their accuracy depends on the expertise of whoever wrote them, and if someone were to accidentally change them, they could deliver inaccurate results. Thus, it is best to be able to rely on a dedicated tool that is tamper-proof, and that is developed by experts who understand all the intricacies involved.

With that in mind, at Paramount Defenses, based on many customer requests, we built what we believe is the world’s simplest and yet most capable Active Directory Group Membership Audit Tool, one that can enumerate the complete membership of any domain security group, no matter how deeply it may be nested, or whether it may contain circular memberships, or whether it may include dynamic groups whose memberships needs to be evaluated in real-time, or whether you wish to audit the list of all domain security groups to which a user’s domain account belongs –

Active Directory Group Membership Audit Tool

 

Here’s a very quick and simple demo of our Group Membership Audit Tool, which today is used worldwide by so many organizations to audit Active Directory group memberships –

 

 

If you can click a button, you can now audit the complete, nested membership of any and every domain security group in Active Directory, whether it be a domain local group, a global group, a universal group or a well-known group, as well as the complete list of all domain security groups to which a user’s domain-user account belongs.

We believe that enumerating and auditing Active Directory domain security group memberships does not get any easier than this – all you have to do is click a button. You can also export the group membership results to a CSV file as well as generate a customized professional-grade PDF report, complete with a custom title, logo, header, description, footer, password-protection etc.

 

In short, this tool enables and empowers everyone to be able to easily, instantly and professionally enumerate domain security groups in Active Directory, on-demand, at the touch of a button.

Lastly, not only was the tool also built with security in mind, and is thus designed to set the bar for trustworthiness, it was also built with ease of use and deployment in mind, and thus can be downloaded, installed and run in under 2 minutes, and without requiring any administrative privilege. For more info, please checkout its page – Active Directory Group Membership Audit Tool.

 

For Advanced Users

Advanced Users will appreciate that while it may be important to be able to audit the complete membership of any specific Active Directory domain security group, it is equally (if perhaps not more) important to be able to accurately audit exactly who can change the membership of every such group in Active Directory, because anyone who could change the membership of any group, could instantly obtain access to everything that group has access to.

For example, consider the Domain Admins security group. Whilst most organizations may audit the membership of the Domain Admins security group, and do so frequently, hardly any organizations also audit exactly who can change the membership of the Domain Admins group, even though anyone who could do so is equally as powerful as are the Domain Admins.

In fact, trying to audit who can change an Active Directory domain security group’s membership is a very difficult task, because the only way to correctly make this determination is to accurately determine effective permissions/access on that domain security’s group’s object in Active Directory, and it is very difficult to accurately determine/calculate effective permissions in Active Directory.

Those who don’t know enough about Active Directory may errantly assume and believe that they could simply write a PowerShell script to accurately determine effective permissions in Active Directory, but those who actually know Active Directory security well enough will tell you that its very difficult to write any kind of PowerShell that can accurately determine effective permissions in any Active Directory domain/forest. As a result, it remains extremely difficult for organizations to be able to fulfill this paramount need.

Fortunately, our advanced tooling, i.e. our Active Directory Effective Permissions Calculator uniquely empowers organizations worldwide to be able to easily find out exactly who can change the membership of any domain security group in their Active Directory. It is architected by former Microsoft Program Manager for Active Directory Security and endorsed by Microsoft.

Got thousands of groups? No problem. Our unique and unrivaled Active Directory Administrative Access and Delegation Audit Tool can automatically determine effective permissions/access on thousands of Active Directory security groups in an entire domain, at the touch of a single button, to reveal within minutes, exactly who can change which domain security group, and how, arming organizations to for the first time ever actually know exactly who can change which domain security group, and how.

We believe that all organizations that operate on Active Directory must know at all times not only who the members of all their domain security groups are, but equally and perhaps more importantly, also exactly who can change the membership of every single one of their domain security groups, and together our basic and advanced tooling empowers organizations worldwide to be able to accomplish both these objectives, with equal ease.

Should you wish to learn more about the unique and innovative features of our basic and advanced Active Directory audit tools, here’s a good starting point – Gold Finger.

Best wishes,

PD Staff.