Monitor your remote workers to maintain security and productivity Learn More

Auditing and Reversing Active Directory Permission Changes using LepideAuditor

by Josh Van Cott

A critical part of developing a secure Active Directory environment is regularly auditing permission changes. Delegating privileges to users is simple, but auditing permission changes (especially when relying on native auditing methods) can be much more difficult. Continuous auditing is important, as it helps IT teams get insight into who’s attempting to subvert their security policies; potentially preventing a security attack. Any changes in permissions should be made apparent to administrators in real-time. An important part of maintaining a Policy of Least Privilege is to reverse unwanted permission changes. However, doing this natively is extremely difficult. Here’s how using LepideAuditor (an automated, change auditing solution) can help you simplify permission change auditing in Active Directory and provide you a way to reverse unwanted permission modifications.

Permission Tracking with LepideAuditor

IT Administrators occasionally need to determine all permissions to a particular object as quickly as possible. Relying solely on native auditing to do this can be a time-consuming and painful process. LepideAuditor provides a dedicated report for changes in Object Permissions, which can be generated in a matter of clicks (see below).

Figure 1: LepideAuditor – Permission Modifications

The above permission modification report provides ‘who, when, what, and where’ details for every permission modified in the system. With this solution, there is no need to trawl through multiple events for a single object in order to understand which the most recent modification was. Simply start the solution, go to “Audit Reports” and look for “Permission Modifications.” Here, you can find numerous reports that help you completely understand permission changes to your objects.

Historical Permission Analysis

LepideAuditor displays the historical permission changes made to Active Directory objects, an example of which can be seen below:

Figure 2: Permission History Report

Switch to the “Compare Permission” tab to compare the permission changes of the selected object between two intervals.

Figure 3: Compare Permission Report

These reports can be saved in PDF, MHT and CSV formats.

Other Permission Auditing Reports

  • Permission of an Object – shows the list of effective permissions held by the objects.
  • All Permission to an Object – lists the permissions to an object given by different objects.
  • Permission Comparison of an Object – shows the comparison of object permissions between two dates.
  • Permission Modifications – shows all the modified permissions.

Alerts and Respond to Permission Changes

LepideAuditor sends real-time and threshold-based alerts on all critical changes, including permission modifications, made in Active Directory. These alerts can be sent directly to selected users via email, or as notifications to LepideAuditor App (for Apple and Android devices).

More than this, LepideAuditor allows you to execute a script once an alert is triggered. For example, if a non-Administrator user gets administrative privileges, a script can be generated to shut down the computer so that the user is denied access to critical Active Directory objects. This should help you mitigate the risks of a full-blown data leakage incident.

Reverse Unwanted Permission Changes

You may be able to spot unwanted changes using native auditing, but you certainly can’t reverse them. LepideAuditor allows you to restore unwanted changes to their original state in a matter of clicks.

Figure 4: Lepide Object Restore Wizard

If you don’t make proactive Active Directory auditing a critical part of your security strategy, you leave your IT environment at risk. With LepideAuditor for Active Directory by your side, you can ensure your users have the right levels of permissions they need to fulfil their job requirements, and nothing more!

Download LepideAuditor