Determining a comprehensive view of access rights in a Microsoft network can be a difficult task – as anyone that has undergone a recent audit can attest. The collection and organization of security data into detailed reports can take significant time and effort. There are multiple reasons that the process of gathering the data is difficult and time consuming, but the common factor is that security information is dispersed throughout multiple security stores.
In a Windows environment, security store information is dispersed in the following methods:
- Security principals (users and groups) are dispersed across Active Directory and member server security databases (SAM)
- Groups can be deeply nested (e.g. group A is in group B is in group C is in ....)
- Group membership can span security databases (e.g. domain\domain admins is in server\Administrators)
- A Windows domain can trust other Windows domains and external Kerberos realms
- Access Control Lists (ACLs) exist on an object being secured