I'm currently working in an AD environment that has been poorly documented. In particular there are a large number of security groups whose usage is unknown.
We initially looked at the last modified attribute as that at least let us know about groups that are recently modified. To find what they are actually used for does not appear to be a simple task. We have used some other tools such as shareenum to check for security groups that are used for share permissions. To try and simplify the process I'm wondering if it is possible to audit where specific group membership queries are coming from? We could then investigate those devices etc individually to see what they use the security group for. Any other suggestions are welcome! James.
