At a basic level, how are mature organizations doing auditing of things like AD user accounts, inventory, etc?

Posted by heapsp@reddit | sysadmin | View on Reddit | 7 comments

Our company has soc 2 compliance but every control is very manual. Example: Quarterly audit , check every active AD account against HR system to ensure no accounts exist or are enabled that arent employed. Audit process looks like this: Export from AD into excel Compare to HRIS system. I know that might be a bad example because companies have an HR system that is linked to AD - but here is another example... Ensure that all servers are covered under our antivirus solutions: Export list of all servers Compare to AV system, mark any that you don't find there. There has to be a better way?

Reply to Post

7 Comments

[-]

_STY@reddit

For comparing users existing in the HR system to AD I would look to see if any automatic export tools are provided by the vendor. Take the dump of existing user information including a little information possible and write a powershell script to check for AD user objects and report back objects with discrepancies. If you could schedule an export or leverage an API to gather your HR systems data this could completely automated. Would perform a similar process with an export from whatever AV system you are using and instead user powershell to query the machines for whatever values you are looking for. This obviously would only work for things that were expected to be reachable. Typically orgs have tools for managing device configurations and software and leveraging them instead of rolling your own is likely best. There's tons of tools to make this process easier but there's a bunch of information we can't tell from your post.

[-]

heapsp@reddit (OP)

Thanks for the input, we have a problem with regularly performing these audits because they are too manual. My company would invest in a tool to help, but I'm unaware of a tool which might ingest or automatically ingest information like active AD users and automatically compare to another set of data through an API or manually uploaded. Right now what you descibe is pretty much what we do, powershell, export, compare both lists. Do this 20x for every item which we are required to check becomes a pain. Like... oh now I need to check every server for x application... ok now i need to check every user account and compare to y system, now z system.. etc.

[-]

_STY@reddit

You would fetch the API data with PowerShell and do it all in one script. Sorry I can’t be more specific because I don’t know what platform(s) you’re using but this should all be achievable using PowerShell alone.

[-]

heapsp@reddit (OP)

Interesting. I wonder if i could also use powershell in some way to compare the two sets of data against each other and produce an output of 'missing' items from one or the other... I might ask chatgpt. haha.

[-]

_STY@reddit

This is 100% possible. I used to do that exact same scenario, only comparing data from a SIS to populate in AD and Google. I know just saying “code it” is easier said than done but this is a perfect use case.

[-]

sirpoopshispants@reddit

When I had to do these types of audits I would create an Excel spreadsheet with three tabs: * AD tab * Master tab (from HR or AV system) * Functions tab The functions tab would just be a vlookup between the first two tabs and then sort the columns and look for anything with "#N/A". You only need this set up one time and then you can just replace the first and second tab with the up to date data and have your list within 5 minutes from start to finish.

[-]

AppIdentityGuy@reddit

Take a look at Microsoft Defender for Identity. There are also tools such as quest ars and change auditor, tenablead,