locked
How Can I FInd Out Where an AD Security Group Is Used to Authorize Access Via Windows Security RRS feed

  • Question

  • I think I know the answer, but I'm going to ask the question anyway...

    Like most organizations, we have a mess of AD security groups.  A lot of the groups are Mail Enabled.  We suspect that most of the mail enabled groups were created as surrogate Distribution Lists.  What we are trying to determine is which of the mail enabled groups is used to authenticate its members into other applications (e.g. I have users authorized into SQL Server Reporting based on membership in Group X.  To complete the "fun" it is also possible that external apps authorize users via SSO/ADFS based on group membership.

    Alternatively, is there anyway that I can set up a "trigger" that will capture when an authorization request is made based on group membership (or does anything like that exist in system logs)?

    I suspect the answer is "can't be done", but thought I'd ask, just to be sure.

    Thanks for any information.

    John

    Friday, March 17, 2017 5:35 PM