Buy

Home > Solutions > Active Directory Audit

Active Directory Audit

Accurately audit security, access, permissions, effective permissions, privileged access and privilege escalation paths in Active Directory.

"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."

Charles Coates, Senior Product Manager      
Identity and Security Business Group

Microsoft Logo
Active Directory is the Focal Point of Audit

Active Directory
- The Focal Point of Audit

Microsoft Active Directory is the foundation of IT, cyber security and privileged access at 85% of organizations worldwide.

It is so because at organizations that operate on Active Directory, the entirety of an organization's primary identities (domain user accounts), and all essential components of access (computer accounts, security groups, passwords etc.) are stored, protected and managed in Active Directory.

Given its foundational role in IT, cyber security and privileged access, Active Directory is the focal point for cyber security audits concerning privileged access, identity and access management, governance, risk and compliance.

In fact, whether it be a basic Active Directory inventory audits such as user logon and account status audits, or a mission-critical Active Directory privileged access audit, the target of all such security-focused audits is Active Directory content.

Consequently, organizations and auditors require the ability to easily, efficiently and accurately perform a variety of Active Directory focused audits to fulfill various cyber security, AD Security, IT, PAM, IdM, IAM and GRC driven audit needs.

Active Directory Audit Drivers

Top-5 Active Directory Audit Drivers

Organizations and auditors need to perform various Active Directory focused audits, primarily driven by five top needs –


  1. Active Directory Privileged User Identification to fulfill audit needs driven by Audit and Regulatory Compliance, Privileged Access Management (PAM), Identity and Access Management (IAM) and Active Directory Security.

  2. Active Directory Security Hardening to adequately secure and defend their Active Directory deployment.

  3. Active Directory Permissions Analysis to identify and fix any glaring vulnerabilities in Active Directory permissions.

  4. Active Directory Group Membership Enumeration to identify all members of various domain security groups.

  5. Active Directory Inventory/Cleanup to identify the contents of their Active Directory and perform required cleanups.


These audits are focused on and targeted at Active Directory, and play a vital role in maintaining organizational security.

Three categories of Active Directory Audit

Three Categories of Active Directory Audit

The majority of organizational Active Directory audit needs can be categorized into and fulfilled by three types of audits -

  1. A basic Active Directory Inventory Audit helps inventory all Active Directory content, such as the list of all Domain Controllers, Organizational Units, accounts and groups, their states, status, membership, ACLs etc.

  2. An optional Active Directory Permissions Audit helps identify any glaring vulnerabilities that may exist due to incorrectly configured security permissions specified domain-wide in Active Directory access control lists (ACLs).

  3. An essential Active Directory Privileged Access Audit delivers an accurate and comprehensive assessment of the actual Who, What, Where and How of privileged access domain-wide, based on effective permissions.


    * The only area not covered by these audits is Domain Controller Security, which involves an audit of physical, system and network security of DCs. DC Security audits fall under Systems Security and should be performed.

The most important and difficult one of these audits to accurately perform is an Active Directory Privileged Access Audit.

Our Comprehensive Active Directory Audit Reports

Here are just a few examples of the various Active Directory Audit Reports that our solutions can deliver -

  • Inventory - A complete list of all objects in Active Directory.
  • Inventory - A complete list of all domain user accounts and their states.
  • Inventory - A complete list of all domain-joined computers and their operating systems.
  • Inventory - The complete flattened group membership of any Active Directory security group, including nesting details.
  • Permissions - A complete list of all users and groups who have any kind of permissions granted anywhere in Active Directory.
  • Permissions - A complete list of all Active Directory objects in whose ACLs a particular user/group has any kind of permissions.
  • Privileged Access - A complete list of all users who have privileged access by default in Active Directory.
  • Privileged Access - A complete list of all users who have privileged access by delegation in Active Directory.
  • Privileged Access - A complete list of all users who can control all default privileged accounts and groups in Active Directory.
  • Privileged Access - A complete list of all users who have a privilege escalation path to an(y) object in Active Directory.
Gold Finger

Our Solution

How our solution helps fulfill multiple audit needs in Active Directory.


Gold Finger, our unique, innovative Microsoft-endorsed Active Directory Audit and Assessment Suite, architected by former Microsoft Program Manager for Active Directory Security, is the world's most versatile solution for performing Active Directory audits, and is comprised of 8 purpose-built audit/assessment tools.

Gold Finger can instantly, automatically and accurately perform Active Directory Inventory Audits, Active Directory Permissions Audits and Active Directory Privileged Access Audits, all within minutes, and at the touch of a button.

It is a 100% read-only tool, can be installed in under two minutes and its use does not require any administrative access.

Gold Finger is unique in its ability to be able to instantly and accurately perform Active Directory Privileged Access Audits, which can assess and reveal exactly who has what access. where and how, domain-wide in Active Directory, thereby enabling organizations to be able to easily and quickly fulfill even the most challenging Active Directory audit needs.


Learn More


An overview of each of its 8 Active Directory focused audit capabilities, including those unique to it, is provided below.

Active Directory Security Auditor

Active Directory Basic
Security and Inventory Audit

Our solution automates basic Active Directory Security and Inventory Audits.


Gold Finger's Active Directory Security Auditor tooling is purpose-built to help organizations perform basic Active Directory security and inventory audits. It can instantly generate 100+ fully-customizable audit reports, such as -

  1. List of all domain [ user | computer ] accounts in Active Directory, including their name, status and other details

  2. List of all domain security groups in Active Directory, including their name, type and other details

  3. List of all organizational units in Active Directory, including their name, location and other details

  4. List of all accounts that have [ logged on | not logged on ] in the last [ 0 -365 ] number of days

  5. List of all [ disabled | expired | inactive | locked ] domain [ user | computer ] accounts

    6. ...

  6. List of all objects in Active Directory

Each report can be customized using an LDAP filter and the results can be exported to a CSV file. The tool can also generate professional-grade fully customizable PDF reports, with a custom title, description, logo and a password.


Learn More
Active Directory Membership Auditor

Active Directory
Group Membership Audit

Our solution automates essential Active Directory Group Membership Audits.


Gold Finger's Active Directory Membership Auditor tooling is purpose-built to help organizations perform basic Active Directory security group membership audits, and it can instantly generate group membership audit reports, such as -

  1. List all direct members of an Active Directory security group

  2. List the fully expanded membership of an Active Directory security group

  3. List all security groups to which a specific domain [user | computer ] account belongs


Report results can be filtered based on security principal type and the results can be exported to a CSV file. The tool can also generate professional-grade fully customizable PDF reports, with a custom title, description, logo and a password.


Learn More
Active Directory ACL Analyzer and Exporter

Active Directory
Basic Permissions Audit

Our solution automates essential Active Directory basic Permission Audits.


Gold Finger's Active Directory ACL Analyzer and Exporter tooling is purpose-built to help organizations perform Active Directory permissions audits and it can instantly generate several Active Directory permission audit reports, such as -

  1. List the entire [ ACL | SACL ] of an Active Directory object

  2. List all security [ permissions | principals ] specified in the ACL of an Active Directory object

  3. Export the [ ACLs | SACLs ] of all objects in Active Directory tree

  4. Identify all protected ACLs in Active Directory i.e. ACLs of objects in Active Directory who ACL is marked 'Protected'


An advanced Analyze option provides greater clarity in analyzing permissions, and results can be exported to a CSV file.


Learn More
Active Directory Permissions Analyzer

Active Directory
Advanced Permissions Audit

Our solution automates advanced Active Directory Permission Audits.


Gold Finger's Active Directory Permissions Analyzer tooling is purpose-built to help organizations perform advanced Active Directory permissions analysis and audits and it can instantly perform domain-wide Active Directory permissions analysis and generate audit reports, such as -

  1. List of all security principals that have any kind of security permissions in Active Directory ACLs

  2. List of all security principals that have a specific kind of security permission in Active Directory ACLs

  3. List of all security principals that have any kind of modify security permissions in Active Directory ACLs

  4. List of all security permissions granted to a specific security principal (account or group) in Active Directory ACLs

  5. List of all [ Explicit | Inherited ] and [ Allow | Deny ] security permissions in Active Directory ACLs


Custom LDAP filters can be applied, scope depth can be controlled, and all report results can be exported to a CSV file.


Learn More
Active Directory Effective Permissions Calculator

Active Directory
Effective Permissions Audit

Our solution uniquely automates Active Directory Effective Permissions Audits.


Gold Finger's unique, innovative Active Directory Effective Permissions Calculator tooling is purpose-built to enable and empower organizations to be able to perform accurate Active Directory Effective Permissions analysis and audits.

It can instantly and accurately make all resultant access determinations in Active Directory, and be used to generate any resultant access report on any object in any partition in any Active Directory, (and results can be exported to a CSV file), such as -

  1. Who has [ Create Child | Delete Child ] effective permissions of a specific object-type on an Active Directory object?

  2. Who has [ Read All Properties | Write All Properties ] effective permissions on an Active Directory object?

  3. Who has [ Read Property | Write Property ] effective permissions to a specific property (e.g. UserAccountControl) or to all properties on an Active Directory object?

  4. Who has [ Modify Owner | Modify Permissions ] effective permissions on an Active Directory object?

  5. Who has [ Extended Right | Validated Write ] effective permissions on an Active Directory object?



Learn More
Active Directory Effective Access Auditor

Active Directory
Effective Access Audit

Our solution uniquely automates Active Directory Effective Access Audits.


Gold Finger's unique, innovative Active Directory Effective Access Auditor tooling is purpose-built to enable organizations to be able to perform accurate Active Directory Effective Permissions based effective access audits.

It can instantly and accurately make high-value resultant access determinations in Active Directory, and be used to generate object-specific resultant access reports on any object in Active Directory domains, such as -

  1. Who can replicate secrets from an Active Directory domain?

  2. Who can [ create | delete ] a specific Active Directory [ user account | computer account | security group | OU ] ?

  3. Who can [ reset the password of a specific Active Directory domain user account | change the membership of a specific Active Directory domain security group | link a GPO to a specific Active Directory organizational unit | etc.] ?

  4. Who can enact various security sensitive tasks on a specific Active Directory [ user account | computer account ] ?

  5. Who can change the [ permissions | ownership ] of a specific Active Directory [ user account | computer account | security group | OU | container | domain-root ] ?



Learn More
Active Directory Privileged Access Assessor

Active Directory
Privileged Access Audit

Our solution uniquely automates Active Directory Privileged Access Audits.


Gold Finger's unique, innovative Active Directory Privileged Access Assessor tooling is purpose-built to empower organizations to be able to perform accurate Active Directory Effective Permissions based privileged access audits.

It can instantly and accurately make the most high-value resultant access determinations in all of organizational security by generating privileged access reports spanning thousands of objects domain-wide in Active Directory, such as -

  1. Who can [ create | delete ]  [ user accounts | computer accounts | security groups | OUs ] in Active Directory?

  2. Who can [ reset the passwords of | disable/enable | unlock | etc. ] all Active Directory domain user accounts?

  3. Who can change the group [ membership | type | scope ] of all Active Directory domain security groups?

  4. Who can enact various security sensitive tasks on all Active Directory [ user accounts | computer accounts ] ?

  5. Who can change the [ permissions | ownership ] of all Active Directory [ user accounts | computer accounts | security groups | OUs | containers ] ?


The output of every report can be exported to a CSV file. The tool can also generate fully customizable, professional-grade audit reports in PDF format, with optional password encryption.

Learn More
Active Directory Privilege Escalation Path Identifier

Active Directory
Privilege Escalation Path Audit

Our solution uniquely automates Active Directory Privilege Escalation Path Audits.


Gold Finger's unique, innovative Active Directory Privilege Escalation Path Identifier tooling is purpose-built to empower organizations to perform accurate Active Directory Effective Permissions based Active Directory Privilege Escalation Path audits.

It can instantly and accurately make the most valuable privileged access determinations in all of organizational cyber security, and be used to generate the most valuable reports in Active Directory and in all of cyber security, such as -

  1. Who can escalate privilege to a(ny) [ user account | computer account | security group | OU ] or to the domain-root in Active Directory?

  2. What escalation paths does an account have to a specific [ user account | computer account | security group | OU ] or to the domain-root in Active Directory?

  3. Which administrative task(s) can a specific account enact to escalate privilege to a specific Active Directory object?

  4. Which security permissions in an Active Directory object's ACL enable a specific account to escalate privilege to it?


Gold Finger is the only tooling in the world that can accurately identify privilege escalation paths in Active Directory.


Learn More

Our Global Customers

  • Australian Government
  • United States Treasury
  • British Government
  • Government of Canada
  • British Petroleum
  • Ernst and Young
  • Saudi Arabian Monetary Agency
  • Juniper Networks
  • U.S. Department of Defense
  • Microsoft Corporation
  • United Nations
  • Quantium
  • Nestle
  • IBM Corporation
  • U.S. Federal Aviation Administration
  • Columbia University

Corporate Headquarters

620 Newport Center Drive, Suite 1100
Newport Beach, CA. 92660. USA.


Telephone: 001-949-468-5770

Your Privacy

We use cookies to provide you the best online experience. Please let us know if you accept these cookies.