Ask HN: How to audit all permissions for people in Active Directory

1 points by visiblestorm ↗ HN
I work as a developer in a .NET shop and I was asked to audit all users permissions (permissions directly granted to the user and via groups ...) in Active Directory. I tried to do it with PowerShell but that seem to be very difficult to do and after doing some research that approach is not recommended. I am stuck on this issue and I am new to Active Directory security. I need to do it on the cheap as we cannot buy commercial software. The directory is old and contains over 10000 users. I am considering writing my own .NET application but that might take at least a couple of months to write (i.e. I need to figure out how the security works in Active Directory and how to get all the permissions etc.). Any suggestions on what is the best way to approach this issue? Thank you for your responses in advance.

1 comment

[ 2.5 ms ] story [ 11.0 ms ] thread
Given we only have about 500-1000 users in our AD, but we simply have a basic web based application to display (and manage to some degree) the AD entries. If there is something the web app can't do, but the bosses want to know i just write a small Ruby script to aggregate the data.

Its like directly there and has a understandable API, with a fitting library you dont even need to know the hows. (I know i dont, and i wrote the web application)