Share via

Active Directory: How to Detect Who Modified Permissions to an Organizational Unit

  • Article

Why It is Important

Users can be assigned permissions to modify an OU; for example, a user might be allowed to delete objects or to make changes to their names or security configurations. But granting wrong users permissions to change the security modifications of objects in an OU can lead to a security breach.  For example, a user with such modified permissions could reset the password to any account and use those credentials to access sensitive data. That’s why the right to configure the permission settings of objects in an OU should be carefully monitored and strictly validated. 

Native Auditing

1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:

  • Audit directory service access → Define → Success and Failures.

2. Go to Event Log → Define:

  • Maximum security log size to 4GB
  • Retention method for security log to "Overwrite events as needed".

3. Link the new GPO to OU: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.

4. Force the group policy update: In "Group Policy Management" right-click the defined OU → Click "Group Policy Update".

5. Open ADSI Edit → Connect to Default naming context → Right-click domainDNS object with your domain name → Properties → Security → Advanced → Auditing → Add Principal "Everyone" → Type "Success" → Applies to "This object and descendant objects" → Permissions → Select all checkboxes except the following and сlick "OK":

  • Full Control
  • List Contents
  • Read all properties
  • Read permissions.

6. Open Event Viewer → Search security log for event ID 5136 (a directory service object was modified). After that, you will be able to see who has modified permissions to what OU with a list of security descriptors.

https://img.netwrix.com/landings/howtofriday/29/native.png

Credits

Originally posted - https://www.netwrix.com/how_to_detect_who_modified_security_permission.html