You are on page 1of 3

Active Directory Audit Checklist

Top-25 Tasks to Audit in Active Directory

Active Directory is the foundation of identity and access management in Microsoft Windows Server based IT infrastructures.

Active Directory also provides the infrastructure to facilitate the delegation of administrative tasks involved in identity and access
management. An effective access audit, a proactive security measure, helps identify who can perform these administrative tasks.

Active Directory Audit Checklist

The following checklist is provided to help organizations determine the identities of all individuals who possess sufficient effective
access to be able to enact the following administrative tasks –

 Note: A proactive access audit helps identify who can enact these tasks in an Active Directory deployment, and thus helps
identity and minimize the number of individuals who possess sufficient privilege to enact these sensitive tasks. The ability to
proactively identify who can perform these tasks, and minimize this number, results in real and measurable risk reduction.

In contrast, auditing, a reactive security measure merely helps identify who has already enacted a sensitive administrative
task. It provides after-the-fact information that can help identify a potential security incident. However, it is not a preventative
measure as it does not prevent the enactment of a sensitive administrative task. Organizations must thus not rely solely on
auditing to protect their Active Directory deployments. They must periodically perform proactive access audits to reduce risk.

 I. User Account Management

Organizations must generate the following effective access audit reports related to user account management tasks –
 1. List of all individuals who can create user accounts
 2. List of all individuals who can delete user accounts
 3. List of all individuals who can reset a user account’s password
 4. List of all individuals who can unexpire an expired user account
 5. List of all individuals who can enable a disabled user account
 6. List of all individuals who can change the smart card requirement for interactive logon for a user account
 7. List of all individuals who can change the logon script of a user account
 8. List of all individuals who can change the security permissions protecting a user account

Organizational Unit Management Organizations must generate the following effective access audit reports related to organizational unit management tasks –  1. List of all individuals who can delete computer accounts  3. List of all individuals who can modify a Schema class  7. List of all individuals who can delete Schema attributes  6. Active Directory Schema Management Organizations should generate the following effective access audit reports related to Schema management tasks –  1. Computer Account Management Organizations must generate the following effective access audit reports related to computer account management tasks –  1. List of all individuals who can change the security permissions protecting a Schema attribute . List of all individuals who can delete organizational units  3. List of all individuals who can change the list of group policies linked to an organizational unit  4. Security Group Management Organizations must generate the following effective access audit reports related to security group management tasks –  1. List of all individuals who can change a computer account’s service principal name(s)  4. List of all individuals who can change the security permissions protecting a organizational unit  V. List of all individuals who can change a security group’s type  7. List of all individuals who can modify a Schema attribute  8. List of all individuals who can change the security permissions protecting a Schema class  9. List of all individuals who can change the security permissions protecting a computer account  III. List of all individuals who can create security groups  2. List of all individuals who can change the precedence of group policies linked to an organizational unit  5. List of all individuals who can change a security group’s membership  4. List of all individuals who can change security permissions protecting the Schema partition root  2. List of all individuals who can change the security permissions protecting a security group  IV. List of all individuals who can create computer accounts  2. List of all individuals who can delete Schema classes  5. II. List of all individuals who can delete security groups  3. List of all individuals who can create organizational units  2. List of all individuals who can change a security group’s scope  6. List of all individuals who can create Schema classes  3. List of all individuals who can create Schema attributes  4. List of all individuals who can change the ability to add/remove oneself from a security group  5.

cn=Policies.cn=Services. List of all individuals who can change the precedence of group policies linked to the Sites container  13.cn=Query Policies.cn=Windows NT. Active Directory Configuration Management Organizations should generate the following effective access audit reports related to Configuration management tasks –  1. List of all individuals who can change the list of group policies linked to the Sites container  12.paramountdefenses. VI.cn=System.cn=Services. List of all individuals who can create site-links  9. List of all individuals who can change the ldapAdminLimits attribute of the cn=Default Query Policy. cn=Policies. List of all individuals who can change all domain security policies  27.cn=Directory Service. List of all individuals who can create sites  3.dc=<domain>  24. List of all individuals who can change the security permissions protecting the AdminSDHolder object. List of all individuals who can change the security permissions protecting a subnet  8. List of all individuals who can change the security permissions protecting the default System container  22. List of all individuals who can delete group policies in the Policies container. cn=AdminSDHolder.cn=System. List of all individuals who can change the security permissions protecting the Configuration partition root  2. List of all individuals who can create subnets  6. Administrative Account and Group Management Organizations must also audit the identities of all individuals who can enact tasks related to the management of administrative accounts and groups. List of all individuals who can delete sites  4. List of all individuals who can change the precedence of group policies linked to all domain partitions  18.com Copyright Paramount Defenses Inc. and cannot be held liable for any claim or damage of any kind that users of the information furnished in this document may suffer. List of all individuals who can delete site-links  10.cn=Configuration. List of all individuals who can change precedence of group policies linked to the default Domain Controllers OU  21. List of all individuals who can change the security permissions protecting a site-link  11.DC=<forest-root-domain> object  15. Paramount Defenses Inc provides no warranty and makes no representation that the information provided is suitable or appropriate for any situation. Reliance upon any information furnished in this document is at your own risk. List of all individuals who can transfer and seize all Flexible Single Master Operations (FSMO) roles  VII.dc=<domain>  26. List of all individuals who can change the security permissions protecting all domain partition roots  16.cn=System.dc=<domain>  23. List of all individuals who can change the security permissions protecting a site  5. All Rights Reserved. List of all individuals who can change the security permissions protecting the default Domain Controllers OU  19.cn=Configuration. List of all individuals who can change the list of group policies linked to all domain partitions  17. List of all individuals who can change the dsHeuristics attribute of the cn=Directory Service.DC=<forest-root-domain> object  14. List of all individuals who can change security permissions protecting the Policies container  25. . Disclaimer: The information furnished in this document is provided for guidance purposes only and cannot be understood as substituting for authoritative technical information furnished by the pertinent official vendor. List of all individuals who can delete subnets  7. Paramount Defenses www. List of all individuals who can create group policies in the Policies container.cn=Windows NT. The tasks listed in the user account and group management sections cover these audit requirements. List of all individuals who can change the list of group policies linked to the default Domain Controllers OU  20.