In my previous post, I touched on how you can identify users in AD with elevated rights. Now we need to determine if they're really necessary.
Step 2: Identifying what rights are needed for the job.
I can't begin to tell you how many companies that I've talked with who give out Domain Admin rights like candy. I've seen Sr. Admins with it, I've seen Jr. Admins with it, heck I've seen Help Desk Associates with it. What if I were to tell you that NO ONE really needs it? Bear with me. I'm getting ahead of myself.
Quest's Change Auditor for Active Directory will give you the who, what, when, where, why, and the workstation of every action performed in Active Directory. We can use Change Auditor to analyze a user's actions and determine if the granted rights are needed for the user to effectively do their job. For example, a Jr. Administrator may work exclusively in only a few OU's and perform only a few less tasks than a Sr. Admin, but in no way do they need the same level of privileges. Change Auditor will allow you to take the collected data and help you put together a very specific 'role' of rights for Admins.