Going Deep With Nested Group Audits

It is one of the top three most complex areas of auditing: nested groups! You know, you find a group listed on an access control list, and you ask for the group members. You get back a list of 25 users, but you know there must be more. So you ask for not only the users, but also the groups that have membership in the original group. You get back a listing of 25 users and 10 groups. Now we are getting somewhere!

You ask for the members of those 10 groups and get back a listing of another 50 users. But you know there are still more. So, you ask for the members of all groups within groups within groups, recursively, that have membership in the original group. In the end, you find that there are over 250 users in the original group, either directly placed in the group or through group membership.

Next time you just ask for the group members recursively, but the administrator looks at you with tired eyes as she knows how long it took the last time you asked for this level of detail. The reason for the tired eyes is the fact that Microsoft does not provide this solution, recursive group membership search, in the Active Directory Users and Computers. Sure, there are scripts, tools (e.g., PowerShell), and other solutions that you can obtain from Microsoft to obtain this level of group membership, but those solutions will typically only provide you with this one detail.

Instead of wasting your time on such a limited solution, just get ADManager Plus. This ManageEngine solution has this recursive group membership feature built in as well as many, many other reports. Figure 1 illustrates how easy it is to get a listing of users recursively from a single group.

going deep figure1

Figure 1. Listing of group members recursively.

As you can clearly see, the Domain Admins and Enterprise Admins groups are members of the Administrators group. This list in Figure 1 shows you all of the users and groups within the main group. You can also see that the tool will allow you to list only the users and only the groups, if you want these reports too.

 

You Can Learn More About the ManageEngine Product Line By Going to manageengine.optrics.com

The original article/video can be found at Going Deep With Nested Group Audits

Leave a Reply