Is anyone collecting Active Directory admin type permissions, such as ActiveDirectoryRights on Inherited Object types/Object types?
We are looking at collecting this data and my AD team has provided data that is leading us down the path of concatenating fields to create entitlements as follows:
Resource: OU || InheritedObjectType || Object Type
Action: ActiveDirectoryRights || AccessControlType
Is anyone doing this already and following a similar approach? Are there other approaches? I'm not overly confident that this is the best approach with all the concatenation, and I wouldn't be in a good position to enable access request processes.
Also, any suggestions on what tool could be used to extract ACL permissions from AD Domain Controllers?