There are numerous challenging tasks that IT administrators may face on a daily basis and comparing permission changes made to objects is one of them. However, it doesn’t have to be this way as there is a straightforward solution to this challenge.
Permissions in Active Directory are access privileges that are granted to users and groups that allow them to interact with objects.
In all organizations but particularly those with complex IT infrastructures, it is crucial to define access control rights with the utmost care and ensure that the Principle of Least Privilege (PoLP) is adhered to with users having only the access permissions they need to do their jobs. Doing this will mitigate risk and limit the chance of a data breach.
Why Compare Active Directory Permissions?
Once Active Directory permissions are set up, the smallest change made to those permissions could result in a number of issues including unauthorized users making modifications to active directory objects to get access to documents, damage or removal of confidential data, or inappropriate disclosure of sensitive data to undesirable parties. This is why it is crucial to monitor permissions on a regular basis.
However, there are times when even though you’ve been monitoring permissions and changes have been kept to a minimum, an anomaly is discovered, and you need to compare permissions between two points in time to see exactly where the problem lies.
Can You Compare Permissions in Active Directory Natively?
Historic permissions analysis is something that is not possible to do using native tools for Active Directory but it can be achieved using the Lepide Data Security Platform.
How to Compare Active Directory Permissions with Lepide
The Lepide Historic Permissions Analysis Reports allow you to list historic permissions for a specified date range and compare permissions between two dates. These reports can be generated for Active Directory, File Server, and Exchange Server and here, we will look at the Active Directory Analysis Report.
Active Directory permission analysis displays the historical changes made in the permissions of Active Directory objects. The Lepide Solution allows you to compare the permissions for these objects between two date and time intervals. You can also save separate reports on Permission History and Compare Permission in PDF, MHT or CSV formats.
Here is an example of the Active Directory Analysis Report:
In this report, the dates are both 4/30/2023 but the times are different. They are 10.31am and 10.34 am.
The report shows the permissions that have been changed between those times and who has changed them.
Permissions are color coded for clarity and are as follows:
- Green – permissions have been added
- Red – permissions have been removed
- Blue – permissions have been modified
The Active Directory Analysis Report is straightforward to run using the following steps:
- From the Permission and Privileges screen, choose Historic Permissions Analysis, Active Directory Analysis
- Select a date range and click Generate
- Expand the relevant folder to see Permission History
To see the comparison between two dates:
- Click the Compare Permission tab
- Select the First Date/Time and the Second Date/Time and click Compare
- The permissions comparison data will be displayed