locked
Active Directory users privileges RRS feed

  • Question

  • I want a list contains each users in Active Directory with their Access rights / Privileges. is there any way to do that? please give me an answer
    Monday, March 6, 2017 11:36 AM

Answers

  • Short answer: not really any simple, quick one liner we can give you to do your homework for you on this one. 

    For a list of admin ID's, the closest you'll get with PowerShell is an AD query based on specific group names you'd have to provide so you can check their memberships.   Since you didn't paste everything, we don't actually know what "the above mentioned applications along with their access right privileges" actually means. 

    For evidence of periodic review of access logs part, that sounds like a security auditor asking to see some paperwork or documentation on your part that someone is reviewing your event logs.  That's not something that would even be stored on a computer (in the situation I'm thinking of), so you'll have to pull out your binder for that one. 

    Evidence of the review of user access rights: same thing as the access log thing. That's probably referencing some user in briefing paperwork saying what they should have access to. Assuming you documented your security groups in some way, I suppose you could do an AD query for the MemberOf property for each user. 

    Those screenshots they're asking for are almost all going to be found in the Group Policy Management Console. You can get a lot of that information out of PowerShell, but I can almost guarantee that if you're in the middle of a security inspection, what they really want to see is GPMC.  


    Monday, March 6, 2017 3:34 PM
  • Permissions are assigned  by system and are not assigned or stored in AD.  YOU have to pick an object and query it for the permissions set on it.  In most cases permissions are assigned by the system or to a group.

    If you mea permissions delegated on AD objects then users are not delegated so you will not normally find anything by user.  You can use get effective permissions to test a user against an object in the file system and AD.


    \_(ツ)_/

    Monday, March 6, 2017 6:32 PM

All replies

  • Do you mean their group memberships?  If so:

    get-aduser -filter * -Properties MemberOf | FL -Property SamAccountName,MemberOf

    Monday, March 6, 2017 12:38 PM
  • No

    I would like to have a report about  all users in AD that contains each users latest activities and permissions they have


    • Edited by afi123 Monday, March 6, 2017 1:24 PM
    Monday, March 6, 2017 1:24 PM
  • No

    I would like to have a report about  all users in AD that contains each users latest activities and permissions they have



    Monday, March 6, 2017 1:24 PM
  • permissions to what?
    Monday, March 6, 2017 1:52 PM
  • A list of critical / super user / administrator IDs for the above mentioned applications along with their access rights / privileges

    Evidence of the periodic review of access logs for critical / super user / administrator IDs for the above mentioned applications

    Evidence of the review of user access rights/ privileges granted for the above mentioned applications and review of their activity logs

    Screenshot of the following password parameter settings for the above mentioned applications (if applicable):

    •           Minimum password length controls 
    •           Change of password upon first logon 
    •           Unsuccessful logon attempts controls, and related lockout controls (e.g. are locked accounts automatically reset by the application after a certain period of time)
    •           Concurrent sessions controls
    •           Password composition (e.g. alpha / numeric characters).
    •           Password history controls
    •           Maximum password age control
    •           Minimum password age controls
    •           Idle time logout
    Monday, March 6, 2017 1:58 PM
  • Short answer: not really any simple, quick one liner we can give you to do your homework for you on this one. 

    For a list of admin ID's, the closest you'll get with PowerShell is an AD query based on specific group names you'd have to provide so you can check their memberships.   Since you didn't paste everything, we don't actually know what "the above mentioned applications along with their access right privileges" actually means. 

    For evidence of periodic review of access logs part, that sounds like a security auditor asking to see some paperwork or documentation on your part that someone is reviewing your event logs.  That's not something that would even be stored on a computer (in the situation I'm thinking of), so you'll have to pull out your binder for that one. 

    Evidence of the review of user access rights: same thing as the access log thing. That's probably referencing some user in briefing paperwork saying what they should have access to. Assuming you documented your security groups in some way, I suppose you could do an AD query for the MemberOf property for each user. 

    Those screenshots they're asking for are almost all going to be found in the Group Policy Management Console. You can get a lot of that information out of PowerShell, but I can almost guarantee that if you're in the middle of a security inspection, what they really want to see is GPMC.  


    Monday, March 6, 2017 3:34 PM
  • Sorry, but this is not the "research and develop customized a solution for me based on a vague specification" forum. (No such forum exists, unfortunately.)

    Please read the following post first, from right at the top of this forum:

    This forum is for scripting questions rather than script requests


    -- Bill Stewart [Bill_Stewart]

    Monday, March 6, 2017 3:42 PM
  • Permissions are assigned  by system and are not assigned or stored in AD.  YOU have to pick an object and query it for the permissions set on it.  In most cases permissions are assigned by the system or to a group.

    If you mea permissions delegated on AD objects then users are not delegated so you will not normally find anything by user.  You can use get effective permissions to test a user against an object in the file system and AD.


    \_(ツ)_/

    Monday, March 6, 2017 6:32 PM
  • None of this question has anything to do with scripting, per se. It is useless to write code of any kind without a clear specification.

    -- Bill Stewart [Bill_Stewart]

    Monday, March 6, 2017 7:37 PM