• State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 62 subscribers
  • Views 7628 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you audit changes to delegation in ARS

lee.andrews_82510
over 7 years ago

I can't find any change history that shows when a user was given delegated access to manage a group in AD via ARS.  Is this recorded somewhere? 

Parents
  • 0 over 7 years ago
    As Aidar noted, there are two layers to this:

    1) A new member getting added to a trustee group that is allowed to manage groups. This is easy to trap with a workflow that looks for a group membership change
    2) Create of a new access template link granting a trustee group the ability to manage groups.

    Below is some sample code to achieve trapping the creation of a new access template link.

    (You would need to link this post create handler to this container: CN=AT Links,CN=Configuration)

    Function OnPostCreate ($Request)
    {

    If ($Request.class -ne 'edsACE') {return}

    # Store the initiator of the delegation

    $Request.whoami([ref]$InitiatorSam,[ref]$InitiatorDN)

    Get-QARSAccessTemplateLink -proxy -Identity $Request.GUID | select directoryobjectdn,trustee,accesstemplate | %{

    # Add the initiator info to the details we obtained about the delegation link

    $_ | Add-Member -MemberType NoteProperty -Name Initiator -Value $InitiatorDN

    # Send all the details to a log file

    $_ | export-csv "C:\scripting\Detect_Delegation\Delegations_Log.txt" -NoTypeInformation -Append

    }

    }
Reply
  • 0 over 7 years ago
    As Aidar noted, there are two layers to this:

    1) A new member getting added to a trustee group that is allowed to manage groups. This is easy to trap with a workflow that looks for a group membership change
    2) Create of a new access template link granting a trustee group the ability to manage groups.

    Below is some sample code to achieve trapping the creation of a new access template link.

    (You would need to link this post create handler to this container: CN=AT Links,CN=Configuration)

    Function OnPostCreate ($Request)
    {

    If ($Request.class -ne 'edsACE') {return}

    # Store the initiator of the delegation

    $Request.whoami([ref]$InitiatorSam,[ref]$InitiatorDN)

    Get-QARSAccessTemplateLink -proxy -Identity $Request.GUID | select directoryobjectdn,trustee,accesstemplate | %{

    # Add the initiator info to the details we obtained about the delegation link

    $_ | Add-Member -MemberType NoteProperty -Name Initiator -Value $InitiatorDN

    # Send all the details to a log file

    $_ | export-csv "C:\scripting\Detect_Delegation\Delegations_Log.txt" -NoTypeInformation -Append

    }

    }
Children
No Data