A glimpse of the new Power Search feature
The new “Power search” feature enables you to perform granular and incisive search and analysis of permissions in your Active Directory. You can perform granular search on the AD objects permissions with efficient query definitions. The scope of the search can also be specified within the Active Directory Options to search default permissions and selectively assigned permissions gives the ability to search extensively.
Let’s take a look at the systematic approach of using the Power search wizard
Fig #1: Power Search tool bar
This is the Power search tool bar and choose the ‘Permissions’ option
Step #1: Select the Domain
Step #2: Select the Access Control Entry
Step #3: Specify the scope
Step #4: Select the Accounts
Step #5: Selection Summary
This wizard shows a summary of the search settings based on your selected options during the systematic approach.
Step #6: Search results
The Power search manager
Using this wizard you can create, edit, delete, view and run any Power Search task
Fig #3: Power Search Manager Wizard
Fig #4: Power search settings
Understand the Power search feature better, with few sample scenarios
Scenario #1: Members having ‘Reset Password’ ACE’s
Scenario #2: Members who can delete Organizational Units
Scenario #3: Members who can delete or create users & groups
Scenario #4: Members who have Full control ACE’s
Fig 2: Report settings of ’Full control’ ACE
Scenario #5: Members who are authorized to create or delete tasks in the AD environment
Scenario #6: Members who can alter AD objects
Scenario #7: Members who have extended rights
Scenario #8: Search those ACE’s that have impact on your AD security & integrity
The most interesting news is that, there is one more fascinating feature about the Delegation control wizard, which now conducts an implicit search for the explicitly assigned ACE’s when a particular delegated task is chosen. In other words, you may search for the permissions that are assigned by default while delegating rights to the OU accounts and containers.
Scenario #9: Members who have ‘Reset Password’ ACE as the delegated task
Fig3: Report settings of ‘Reset password’ ACE
Scenario #10: Members who have explicit Allow/Deny non- inherited ACE’s on OU objects
Fig:4: Report settings of ACE type ‘Explicit Allow’
Explicit Deny
Fig 5: Report settings of ACE type ‘Explicit deny’
Fig #6: Delegation Control Wizard
A quick recap of the “Power Search” feature
Search for unauthorized access | |
Find out the access permissions of members in the Active Directory | |
Know their authorized actions | |
Quickly search members who can read objects in the confidential OUs and containers | |
Track certain unauthorized users and put a stop to security and integrity issues caused by them | |
Track those unnoticed deleted/disabled accounts, dummy SID’s, outdated users and their permissions |
If you are interested in exploring these new features, please follow the link below to download a 30-day trial version of ARK for Active Directory software.
https://www.vyapinsoftware.com/products/active-directory-audit/active-directory-reports