• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7626 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you audit changes to delegation in ARS

lee.andrews_82510
over 7 years ago

I can't find any change history that shows when a user was given delegated access to manage a group in AD via ARS.  Is this recorded somewhere? 

Parents
  • 0 over 7 years ago

    that is interesting question. I would look at following points:
    #1. AT Links explicit. Permissions/Roles/AT links: ARS Admin will be able to see Delegation Control (the permission link) on OU (MU, AD object) itself and therefore Change History of the Delegation Control
    #2. Resulting Delegation. On each AD Object: AD ADmin can see resulting cumulative permission hitting the object from all "entry-link" points (OU, MU, explicit). 
    #3. Well-known SIDs: Built-in\Primary Owner, Built-in\Secondary Owner, Built-in\SELF (when the SID of actually authenticated user is not known apriori and resolved on-fly depending on the object itself). If you see the SID in resulting permission /AT Links on AD object (group), then, for example, Secondary Owner is set on the AD\group has rights given by the linked AT

Reply
  • 0 over 7 years ago

    that is interesting question. I would look at following points:
    #1. AT Links explicit. Permissions/Roles/AT links: ARS Admin will be able to see Delegation Control (the permission link) on OU (MU, AD object) itself and therefore Change History of the Delegation Control
    #2. Resulting Delegation. On each AD Object: AD ADmin can see resulting cumulative permission hitting the object from all "entry-link" points (OU, MU, explicit). 
    #3. Well-known SIDs: Built-in\Primary Owner, Built-in\Secondary Owner, Built-in\SELF (when the SID of actually authenticated user is not known apriori and resolved on-fly depending on the object itself). If you see the SID in resulting permission /AT Links on AD object (group), then, for example, Secondary Owner is set on the AD\group has rights given by the linked AT

Children
No Data