How to find out who is delegated what access in Active Directory / How to determine resultant access in Active Directory

Active Directory is the focal point of administrative delegation for IT management in a Microsoft Windows Server based IT infrastructure and it lets IT administrators delegate administrative tasks with a very high level of precision.

While delegating access in Active Directory is very easy, finding out who is delegated what access in Active Directory is very difficult, time-consuming and error-prone. This is because numerous factors come into play in determining who is delegated what access.

For example, nested groups, inherited versus explicit permissions, effective versus non-effective permissions, allow versus deny permissions etc. all make it very difficult to precisely find out who is delegated what access in Active Directory.

Fortunately, Gold Finger completely automates the entire process of determining resultant access in Active Directory so that IT administrators can instantly and precisely determine who is delegated what access in Active Directory.

In fact, Gold Finger’s automated access assessment capabilities are architected by former Microsoft Program Manager for Active Directory Security and endorsed by Microsoft. It is also the world’s only Active Directory Reporting Tool that can generate 100% accurate security and delegated access reports, and do so at the touch of a button.

For instance, it can instantly determine and reveal exactly who all is delegated the following identity and access management related administrative tasks in Active Directory –

1. Who all can create domain user accounts, and in which OUs?
2. Who all can delete which domain user accounts?
3. Who all can reset the password of which domain user accounts?
4. Who all can unlock which locked domain user accounts?
5. Who all can enable which disabled domain user accounts?
6. Who all can create domain security groups, and in which OUs?
7. Who all can delete which domain security groups?
8. Who all can modify the membership of which domain security groups?
9. Who all can convert which distribution groups into security groups?
10. Who all can convert which domain local security groups into global groups?

A complete list of all the delegated tasks that it can report on is available here - list of delegated access reports.

These reports are very difficult to generate and in fact it can take up to one hour per Active Directory object to manually generate these reports because one needs to take all the above-mentioned factors into account.

There are many tools that can show you where all a user has permissions, but that in fact, is just the starting point, because you still have to simulate the entire Active Directory access check process on your own to accurately determine who is delegated what access in your Active Directory.

With Gold Finger organizations can not only accurately find out who is delegated what access in their Active Directory but do so instantly. In fact it can automatically find out who is delegated what access on which objects in an entire Active Directory domain in a single assessment.

For more details, and to download the Gold Finger, please visit the Paramount Defenses website.

Thanks,
PD Staff

How to Instantly Generate True Last Logon Security Reports in Active Directory

Do you need to generate True Last-logon reports in your Active Directory?

IT security personnel and IT administrators often have a need, for internal audit or regulatory compliance reporting, to determine the last time a user used their Active Directory domain user account to logon.

For instance, last logon values are required to generate and furnish a list of stale domain user accounts or inactive domain user accounts, or user accounts that were created but have never been used.

It so happens that Active Directory stores the last logon time of a domain user account in a specific attribute on the user object called lastLogon. This attribute however is not replicated but in fact individually updated on each domain controller in the domain.

Thus, in practice, in order to determine a domain user account's true last logon time, IT personnel need to query each DC in the domain for the local lastLogon value on the user's account, then compare each of these values to determine the latest one, and report that as the user's true last logon time.

IT personnel thus either need to invest time and effort to write custom scripts to make an accurate determination, or use automated 3rd party tools to generate these reports. Writing and testing custom scripts can take substantial time to write and be prone to error, and in regards to 3rd party tools, one needs to ensure that they are sufficiently trustworthy tools (because they are most often run in admin security contexts.)

With Gold Finger, the world's only accurate security and access reporting solution for Active Directory, IT personnel can instantly generate numerous true last logon reports that are 100% accurate, and do so for FREE, and have the assurance of using a highly trustworthy Microsoft-endorsed solution.

Gold Finger offers the following True Last Logon based security reports -

1. All domain user accounts that have logged on in the last few days
2. All domain user accounts that have not logged on in the last few days
3. All domain user accounts that have never logged on
4. All domain user accounts that have logged on at least once
5. All domain computer accounts that have logged on in the last few days
6. All domain computer accounts that have not logged on in the last few days
7. All domain computer accounts that have never logged on
8. All domain computer accounts that have logged on at least once

To generate these reports, all IT personnel need to do is specify the scope of your report (i.e. a domain, OU, container or an individual user/computer account), press the Gold Finger button and wait for a few seconds.

Gold Finger instantly generates all of these reports and even displays the true last logon times for all user accounts (and in each report.) In Print Mode, multiple reports can be selected, all of which will be instantly generated and delivered in the form of a single easily printable report.

Also, Gold Finger was designed with security in mind and is a highly trustworthy solution. It is 100% developed and supported from within the US, built by proficient developers all of whom are US citizens, architected by former Microsoft Active Directory Security Program Manager and endorsed by Microsoft.

Gold Finger can be installed and deployed in less than 2 minutes, and offers 400 security reports spanning 12 IT management categories, ranging from user account management to Microsoft Exchange and Active Directory ACL management.

To download and install your very own copy of the Gold Finger, please visit http://www.paramountdefenses.com/goldfinger.html.

Best wishes,
PD Staff

Introducing Gold Finger v2.5

Folks,
Earlier this month we released v2.5 of our innovative Gold Finger software, featuring numerous enhancements such as 60 new reports including TRUE last logons and Schema management reports, one-button search and report CSV exports and seamless support for Windows 7 clients.


With Gold Finger v2.5, organizations can instantly fulfill their Active Directory based IT security audit and regulatory compliance reporting requirements efficiently, cost-effctively and most importantly, securely.
For instance, organizations can easily generate and print the following reports at the touch of a button -

1. List of all individuals who can reset someone's password (including the CEO's) and login as them
2. List of all individuals who can create, delete or modify security group memberships to control access
3. List of all user and computer accounts, security groups, MS Exchange mailboxes and trusts
4. List of all accounts, groups and computers that were created, changed or deleted in the last quarter
5. List of all existing sensitive. managed and unmanaged accounts, groups and computers
6. List of all accounts and computers that have not been logged on in the last quarter (TRUE last logon)
7. List of all failed user logon attempts (i.e. bad password attempts) in the last day/week/month/quarter
8. List of all active, inactive, enabled, disabled, locked, expired and about to expire accounts
9. List of all managed, unmanaged, nested and unnested, empty and high-membership count groups
10. List of all currently active, inactive, and OWA enabled and disabled, email accounts

You can now download your own free copy of the Gold Finger at http://www.paramountdefenses.com/goldfinger.html.
Best wishes,Sanjay

Installing Gold Finger in under 2-Minutes

Folks,

Gold Finger is built for use by IT admins, Security Analysts, IT Managers, IT Executives and corporate employees who might have a need to generate Active Directory based IT security and access reports for identity and access management.

We thus designed it as a simple client-side Windows executable that can be downloaded, and installed on any domain-joined machine in under 2 mintues, and without requiring any domain administrative credentials.

Here's a quick overview of how you can instantly install the Gold Finger -

1. Download the Gold Finger installation package from our website.
2. Save the installation package in any folder on your local hard-drive.
3. Extract the installer (MSI) by unzipping the installation package.
4. Double-click the Gold Finger MSI to start installation.

5. The Gold Finger setup screen should be visible.

6. Click Next. Then the Setup Wizard screen should be visible.

7. Click Next. Then the License Agreement screen should appear. Take a moment to review the license.

8. Select I Agree, then Click Next. Then the Customer Information screen should be visible.

9. Enter your name and your organization's name and click Next. Then the Installation Folder screen should appear.

10. Click Next. You should then see the Confirm Installation screen.

11. Click Next. You should then momentarily see the Installing Gold Finger screen.

12. Upon successful completion, you will have installed Gold Finger.

13. Click Close.

That's it!
To launch Gold Finger, begin by clicking the Start Menu, then navigate to Programs, the locate the Paramount Defenses folder, and finally click on the Gold Finger link.

In the next few posts, we'll cover how to use Gold Finger to generate security and access reports and to use its inbuilt search capabilities.

Best wishes,
- PD Staff

An Overview of the Gold Finger

Gold Finger is an innovative IT security and access analysis and reporting solution for Microsoft Windows Server based IT infrasructures powered by Active Directory.

Architected by former Microsoft Program Manager for Active Directory Security, it was designed to help organizations accurately determine who is delegated what administrative authority (the proverbial "keys to the kingdom") for IT management in their Active Directory deployments.

It delivers on a paramount security need, which is the need to know who is delegated what powerful administrative authority, because a single unauthorized delegated access grant is all that someone needs to completely compromise organizational security.

Its powerful, Microsoft-endorsed, patent-pending access assessment capabilities let organizations instantly and accurately find out who is delegated what administrative tasks in their Active Directory, such as revealing who all can reset the CEO's account's password today.

It also lets organizations fulfill all their essential Active Directory security reporting needs for identity and access management.

At the touch of a button, it can instantly generate 100s of accurate IT security and access reports that are essential for assessing and locking down access, analyzing and maintaining security, performing internal security audits and demonstrating regulatory compliance.

In posts to follow, we will share helpful tips and insight on its powerful capabilities and features and on how organizations can benefit from it to fulfill all their security and access reporting needs.

Thank you and best wishes,
PD Staff

Introducing the Gold Finger Blog

Hi Folks,

I'm Sanjay, CEO of Paramount Defenses (PD), and formerly Program Manager for Active Directory Security on the Windows Server Dev Team at Microsoft.

At PD, a valued Microsoft security partner, we develop innovative security solutions that solve mission-critical yet very difficult security problems.

Our first solution, the Gold Finger, powered by innovative patent-pending technology, is the world's first & only accurate access assessment solution for Microsoft Active Directory.

It helps organizations solve the paramount security problem of determining who has what administrative (God-like) privileges within the organization.

It is my privilege to commission this blog, via which we intend to share insights that could help IT personnel worldwide fulfil their Active Directory related IT security and access reporting, audit and compliance needs, trustworthily.

Over the next few weeks, our specialist team will share valuable and helpful information via this blog, and you can expect to gain helpful, objective and insightful information on the paramount aspect of IT security.

I wish you all the best.

Kind Regards,
Sanjay Tandon


Chief Executive Officer,
Paramount Defenses Inc