Active Directory Monitoring & Reporting

N

nitrobass24

[H]ard|DCer of the Month - December 2009
Joined
Apr 7, 2006
Messages
10,465
Looking for a tool(s) to help IT manage their AD environment.
Currently there are 6 domains with approx 1500 users and 3 IT Admins.

No Set Budget

Key Business Requirements:

• Show all the users with access to a particular share, including their access rights
• Show all the shares a particular user has access to, including their access rights
• Identify whether access granted is because of group access or explicit access
• Show how many users in each domain/group/OU
• Reports for end-users (managers) to perform annual access reviews
• Change Notification for AD Objects, Groups, Users, File share Permissions, Configuration
• Who made the change, when the change was made

Currently looking at the following tools. Does anyone have experience with any of these? Recommend something else?

Script Logic - Change Auditor
Script Logic - Security Explorer
ManageEngine - AD Manager Plus
ManageEngine - AD Audit Plus
Netwrix
 
I have subscribed to this one, I would also like to see what people are using.
 
Have you thought about rolling your own solution so you know for a fact that you get what you're looking for and needing?

Most of these requirements can be hand from Powershell scripts. If it were me I would just put a web frontend infront of powershell scripts and make it work for you instead of trying to find something that just fits the bill but doesn't...

Let me know if you want help with this as I can see what I can do with some of my resources...
 
nitrobass24 said:
• Show all the shares a particular user has access to, including their access rights
Click to expand...

Unless something has changed with AD since last time I had to be a Windows admin, this will be a difficult requirement; AD doesn't keep a record of what objects a user has rights to.
 
Fint said:
Unless something has changed with AD since last time I had to be a Windows admin, this will be a difficult requirement; AD doesn't keep a record of what objects a user has rights to.
Click to expand...
Ya, you'd have to start with the share and work backwards ( with nested groups as well. Good times! ).
 
Yea i realize, this will be difficult using native AD scripts and such. Definitely looking for some sort of solution even if its really expensive to assist in this role.
 
For stuff like this I just code my own powershell scripts. Some of the things you are asking for can be done in a handful of lines.
 
xenios said:
For stuff like this I just code my own powershell scripts. Some of the things you are asking for can be done in a handful of lines.
Click to expand...

I get that, but thats not what the customer wants. :(
 
I think with the requirements you have listed here, an out of box solution is going to be hard to be had. I brought this infront of my development team this morning, and initial thoughts were that its a very doable project. The biggest thing that would really be needed would be a delivery and implementation timetable and some sort of a budget to work with.

Do you expect to add additional domains to manage outside of the existing domains?

I assume all of these domains are in a single forest?
 
Check with Quest software and NetIQ. They have tools to do most of the AD stuff that you are looking. It's not cheap, but they've been doing that for a pretty long time.

now on the file share management... Quest and Netiq might have something. CA also. But there are these two companies that specialize in producing visibility into the acl of every file, folder and share. I need to dig through my email to find them. They are definitely not cheap and the last time I got a quote it was 50K alone for one of our filers. If i find them, will post back.
 
OK great I will check with NetIQ.

Script Logic = Quest, so i have looked at that, but i would need two separate products and it doesnt look like they integrate well with each other. Would require that each user has two separate running applications. I would prefer something slight more integrated or at least web based mgt.

They have Websense Web Security and DSS products. They arent afraid to spend $$$.
 
You must log in or register to reply here.
Back
Top