I have a problem that I have been pondering off and on for a while and I want to see if anyone has a better answer:
Is there a way to see where an AD security group is used in an enterprise WITHOUT having to go to every single application/file server?
Research, experience, and my thoughts
My background is in AD security and I get asked this question all the time. My standard answer is "No" and not possible from a practical standpoint. Technically: anything is possible if you throw enough money and processes at something but again, I would need to review every App/file structure. Not efficient, not reasonable.
AD is different than your typical App (from the viewpoint of people I talk to) as it provides authentication and authorization for other applications. Application refers to AD groups to grant entitlements to users when they log in. Most Apps that have their roles and identities embedded in the system. Take HR SAP for example. User roles and entitlements are bundled in a single source and I can look at where all those roles are being used. In the case of AD, App just do referrals to user and roles. There is no way of telling how many Apps are pointing to a single AD group as that is not logged/capture in the database. This is my usual explanation and I move on with life.
But in the back of my mind, I want to ponder IF there is a possible way to get a better snapshot of what is truly using groups in AD, regardless of the cost of technology. For example, if I crank up the DC logging to full verbose, throw endless CPU cycles at it and forward everything into Splunk, will I find answers there? What about network traffic being a good source? But then I guess that would all depend on ow the Apps also do their LDAP calls.
Thoughts anyone?
