Active Directory Effective Access Auditor
Instantly and accurately audit Active Directory effective access on individual Active Directory objects, at the touch of a button.
Active Directory Effective Access Auditor
Overview
Organizations have an essential cyber security need to be able to accurately* assess effective access on Active Directory objects to identify, secure and lockdown privileged accounts and groups in Active Directory, secure Active Directory and demonstrate compliance.
Specifically, they need to be able to -
Assess privileged access on numerous high-value Active Directory objects, such as the Domain Admins group
Secure all Active Directory privileged accounts and groups, and continuously assess and control access to them
Audit privileged access on specific Active Directory objects such as the CFO's account, to demonstrate compliance
Identify which security permissions entitle individuals to possessing specific privileged access in Active Directory
Lockdown security permissions in Active Directory to lockdown excessive privileged access in Active Directory
Active Directory Effective Access Auditor is a specialized audit tool designed by former Microsoft Program Manager for Active Directory Security to help IT groups and personnel easily, instantly and trustworthily fulfill this need.
* Based on accurate effective permissions analysis
Features
Accurate Effective Access Audit
Accurately audit effective access on Active Directory objects
Active Directory Privileged Access Audit
Accurately audit privileged access on AD privileged accounts and groups
Instant, Real-time, Fully-Automated Audit
Automatically determine privileged access on Active Directory objects
Actionable Intelligence
Identify how someone has privileged access on an Active Directory object
One-Button Exports
Easily export audit results for analysis, comparison and archival
Technical Summary
Active Directory Effective Access Auditor automates the accurate determination of effective access on individual Active Directory objects, to help identify exactly who has what privileged access on individual Active Directory objects such as the domain root, the AdminSDHolder object, the Domain Admins security group, the CEO's user account etc.
Benefits
Accurately Audit Effective Access in AD
Accurately audit effective access on Active Directory objects
Audit Privileged Access on an AD object
Find out who has what privileged access on an Active Directory object
Lock-down Privileged Access in AD
Lock-down access by identifying how a user has privileged access in AD
Complete Steps 1, 2 and 3 of your PAM Journey
Accurately identify privileged users in AD, secure them and control access
Demonstrate Regulatory Compliance
Correctly demonstrate compliance concerning privileged access in AD
Mission-critical Active Directory Privileged Access Insights
Active Directory Effective Access Auditor can instantly and accurately identify -
- Who can run Mimikatz DCSync against your Active Directory?
- Who can modify the ACL protecting the AdminSDHolder object in Active Directory?
- Who can change the membership of any Domain Admins equivalent privileged security group?
- Who can link a malicious GPO to an OU in Active Directory to unleash ransomware domain-wide?
- Who can reset the passwords of privileged, executive and high-value user accounts in Active Directory?
- Who can disable the use of Smartcards for interactive logon on any domain user account in Active Directory?
- Who can create, manage/control and delete accounts, groups and organizational units (OUs) in Active Directory?
- Who can change the membership of any domain security group (e.g. Confidential Access Group) in Active Directory?
- Who can change privileged access in Active Directory to instantly obtain access to millions of organizational IT resources?
- Who can compromise Active Directory integrated applications/services (e.g. Azure Connect) by modifying Active Directory contents?
* If your existing tools merely rely on determining "Who has what permissions in Active Directory," you're likely operating on dangerously inaccurate insights.
Example Reports
The following real-world examples illustrate the Active Directory Effective Access Auditor's unique capabilities -
- Find out exactly who can modify the AdminSDHolder ACL .
- Determine exactly who can reset the password of a Domain Admin's account.
- Find out exactly who can disable the use of Smartcards on domain user accounts, including those of privileged users.
- Find out exactly who can change the membership of the Domain Admins privileged security group in Active Directory.
- Find out exactly who can delete a specific Active Directory privileged user account, computer account or security group.
- Find out exactly who can change the permissions protecting a specific Active Directory privileged user account or group .
- Identify exactly who can delegate or change administrative access on a specific organizational unit in Active Directory.
- Determine exactly who can link/unlink GPOs to a specific OU in Active Directory, such as the Domain Controllers OU.
- Determine exactly who can change the logon hours of a specific Active Directory privileged or executive user's account.
- Determine exactly who modify the keywords on an Active Directory integrated application's service connection points.
Requirements and Licensing
Active Directory Effective Access Auditor can be instantly downloaded, installed and run on any Windows computer. Its use does not require any admin privileges, any changes to or any knowledge of Active Directory.
The tool is licensed on a subscription model, and can be licensed on an annual basis. Its capabilities can also be availed of as a service, and its Top-10 reports are also available in our unique Gold Finger Mini solution.
Our Global Customers