Thanks Brian, I was hoping you'd chime in. We might try the ldap path as that should help for devices such as firewall appliances etc that use ldap.
James. From: [email protected] [mailto:[email protected]] On Behalf Of Brian Desmond Sent: Wednesday, 18 December 2013 8:12 AM To: [email protected] Subject: [NTSysADM] RE: Auditing AD Security Group usage No, there's no way to get that data out of AD. Groups are injected in to your token at logon. The target device then looks at the token you present to do AuthZ. You could turn on LDAP query logging and see if you can catch any LDAP integrated apps that do direct queries, but, that's only going to give you a slice of the answer and the data won't be real easy to consume. Thanks, Brian Desmond [email protected]<mailto:[email protected]> w - 312.625.1438 | c - 312.731.3132 From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of James Hill Sent: Tuesday, December 17, 2013 3:59 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] Auditing AD Security Group usage I'm currently working in an AD environment that has been poorly documented. In particular there are a large number of security groups whose usage is unknown. We initially looked at the last modified attribute as that at least let us know about groups that are recently modified. To find what they are actually used for does not appear to be a simple task. We have used some other tools such as shareenum to check for security groups that are used for share permissions. To try and simplify the process I'm wondering if it is possible to audit where specific group membership queries are coming from? We could then investigate those devices etc individually to see what they use the security group for. Any other suggestions are welcome! James.
