AnsweredAssumed Answered

Active Directory Permissions

Question asked by William May on Feb 27, 2018

Is anyone collecting Active Directory admin type permissions, such as ActiveDirectoryRights on Inherited Object types/Object types?

 

We are looking at collecting this data and my AD team has provided data that is leading us down the path of concatenating fields to create entitlements as follows:

Resource: OU || InheritedObjectType || Object Type

Action: ActiveDirectoryRights || AccessControlType

 

Is anyone doing this already and following a similar approach? Are there other approaches? I'm not overly confident that this is the best approach with all the concatenation, and I wouldn't be in a good position to enable access request processes.

 

Also, any suggestions on what tool could be used to extract ACL permissions from AD Domain Controllers?

Outcomes