Auditing and Reversing Active Directory Permission Changes using Lepide Active Directory Auditor

by Danny Murphy

A critical part of developing a secure Active Directory environment is regularly auditing permission changes. Delegating privileges to users is simple, but auditing permission changes (especially when relying on native auditing methods) can be much more difficult. Continuous auditing is important, as it helps IT teams get insight into who’s attempting to subvert their security policies; potentially preventing a security attack. Any changes in permissions should be made apparent to administrators in real-time. An important part of maintaining a Policy of Least Privilege is to reverse unwanted permission changes. However, doing this natively is extremely difficult. Here’s how using Lepide Active Directory Auditor (part of Lepide Data Security Platform) can help you simplify permission change auditing in Active Directory and provide you a way to reverse unwanted permission modifications.


Permission Tracking with Lepide Active Directory Auditor

IT Administrators occasionally need to determine all permissions to a particular object as quickly as possible. Relying solely on native auditing to do this can be a time-consuming and painful process. Lepide AD Auditor provides a dedicated report for changes in Object Permissions, which can be generated in a matter of clicks (see below).

Figure 1: Permission Modifications

The above permission modification report provides ‘who, when, what, and where’ details for every permission modified in the system. With this solution, there is no need to trawl through multiple events for a single object in order to understand which the most recent modification was. Simply start the solution, go to “Audit Reports” and look for “Permission Modifications.” Here, you can find numerous reports that help you completely understand permission changes to your objects.

Historical Permission Analysis

Lepide Active Directory Auditor displays the historical permission changes made to Active Directory objects, an example of which can be seen below:

Figure 2: Permission History Report

Switch to the “Compare Permission” tab to compare the permission changes of the selected object between two intervals.

Figure 3: Compare Permission Report

These reports can be saved in PDF, MHT and CSV formats.

Other Permission Auditing Reports

  • Permission of an Object – shows the list of effective permissions held by the objects.
  • All Permission to an Object – lists the permissions to an object given by different objects.
  • Permission Comparison of an Object – shows the comparison of object permissions between two dates.
  • Permission Modifications – shows all the modified permissions.

Alerts and Respond to Permission Changes

Lepide AD Auditor sends real-time and threshold-based alerts on all critical changes, including permission modifications, made in Active Directory. These alerts can be sent directly to selected users via email, or as notifications to Lepide Mobile App (for Apple and Android devices).

More than this, it allows you to execute a script once an alert is triggered. For example, if a non-Administrator user gets administrative privileges, a script can be generated to shut down the computer so that the user is denied access to critical Active Directory objects. This should help you mitigate the risks of a full-blown data leakage incident.

Reverse Unwanted Permission Changes

You may be able to spot unwanted changes using native auditing, but you certainly can’t reverse them. Lepide Active Directory Auditor allows you to restore unwanted changes to their original state in a matter of clicks.

Figure 4: Lepide Object Restore Wizard

If you don’t make proactive Active Directory auditing a critical part of your security strategy, you leave your IT environment at risk. With Lepide Active Directory Auditor by your side, you can ensure your users have the right levels of permissions they need to fulfill their job requirements, and nothing more!

Download Lepide Active Directory Auditor