Active Directory Membership Auditor

User's Guide

Introduction

This User's Guide shows you how to use the Active Directory Membership Auditor to audit domain security group memberships in Active Directory.

It contains ten sections -

1. Pre-requisites

2. Getting Started

3. Exploring the User Interface

4. Audit a Group's Memberships

5. Audit a User's Memberships

6. Viewing Results

7. Exporting Results

8. Using Basic Options

9. Using Advanced Options

10. Getting Technical Support

2. Getting Started

Getting started with Gold Finger takes just a few minutes and involves three simple steps -

1. Download and install Gold Finger

   Navigate to your custom license download URL, locate the Gold Finger download link and click on it to download the Gold-Finger.zip package onto the computer on which you wish to install the application.

   Next, unzip the package, verify the digital signature on the unzipped Gold-Finger.msi installer file and then double-click it to launch the installer. The installer will ask a few basic questions and then proceed to install Gold Finger.




2. Download and install your Gold Finger License

   Navigate to your custom license download URL, locate the Gold Finger License download link and click on it to download the Gold_Finger_License.zip package onto the computer on which you wish to install the application.

   Next, unzip the downloaded package, and locate the GFLic.dll file within the unzipped Gold_Finger_License folder. Verify the digital signature on the GFLic.dll file, and then copy it into the Gold Finger installation directory.

   Note - In a default installation, the Gold Finger installation directory is C:\Program Files (x86)\Paramount Defenses\Gold Finger.

   
   

3. Launch Gold Finger

   Click the Start menu, locate the Paramount Defenses folder, then locate the Gold Finger application link and click on it. Please give it a few moments whilst Gold Finger performs a few basic security checks before it opens.

   Note - Should you wish to use alternate credentials or target a specific domain controller, you can do so via Basic Options.

3. Exploring the User Interface

Gold Finger's sheer simplicity is reflected in its minimalist user interface, comprised of the following elements -

1. Tool Selector - The tool selector is used to select a specific tool.

2. Reports Pane - The reports pane lists all the reports available in the selected tool.

3. Retrieve Field - The retrieve field is used to restrict group enumeration to principals of a specific type.

4. Scope Field - The scope field is used to specify the report's scope/target.

5. Search Utility - The inbuilt search utility is used to locate and specify targets.

6. Run button - The run button, also known as the Gold Finger button, is used to generate a report.

7. Results Pane - The results of a generated report are displayed in the results pane, titled the Membership pane.

8. Status Indicator - The status indicator provides an indication of the report's status.

9. Export and PDF Buttons - The Export and PDF buttons are used to export a report's results and generate PDFs.

4. Audit a Group's Memberships

To audit a domain security group's membership in Active Directory, select the Membership Auditor from the Tool Selector, then enact the following three steps -

1. Select a report

   In the Reports pane, select from one of the following two reports by clicking on it -

   1. View the direct membership of an Active Directory security group

   2. View the complete nested group membership of an Active Directory security group

   Note - You can use the Retrieve Field to filter memberships retrieved by a specific security principal type. Options include All Members, User Accounts only, Computer Accounts only, Well-Knowns/FSPs only, Security Groups only and User and Computer Accounts only.




2. Specify a scope

   In the Scope field, enter the distinguished name (DN) of the security group whose membership you wish to audit.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

   
   

3. Click a button

   Click the Gold Finger (Run) button, and the tool will proceed to generate the selected report(s).

4. Audit a User's Memberships

To audit a domain account's memberships in Active Directory, select the Membership Auditor from the Tool Selector, then enact the following three steps -

1. Select a report

   In the Reports pane, select the following report by clicking on it -

   1. View the complete list of all Active Directory security groups to which a user belongs




2. Specify a scope

   In the Scope field, enter the distinguished name (DN) of the domain account whose membership you wish to audit.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

   
   

3. Click a button

   Click the Gold Finger (Run) button, and the tool will proceed to generate the selected report(s).

5. Viewing Results

I. Viewing a Group's Memberships

Upon the successful completion of a report, Gold Finger displays a security group's members in the Membership pane.

For each member, all relevant details, including the member's name, SAM account name, title, department, account status, description and distinguished name are displayed. In addition*, for every nested member, appropriate nesting details can also be displayed in the Nesting column.

* This requires the Display member group nesting details in lieu of description option to be enabled in Advanced Options.

II. Viewing a User's Memberships

Similarly, upon the successful completion of a user's security group membership report, Gold Finger displays the list of all security groups to which the user belongs, in the Membership pane, and for each security group, it displays the group's name, SAM account name, group type, security identifier (SID), description and distinguished name.

The results are fully-sortable and can also be easily exported as a CSV file or a PDF file as described in the next section.

6. Exporting Results

Gold Finger makes exporting Active Directory group memberships as easy as touching a button, as described below -

1. Exporting Results

   To export the results of a report, simply click the Export button once. When you do so, Gold Finger will generate a CSV file containing the entire data set, and prompt you to specify a location at which to save the file.




2. Generating PDFs

   Gold Finger can also generate professional-grade, fully-customizable PDF files with a custom title, header, footer description, organizational logo, page-numbers, password-protection and custom attributes, at a button's touch.

   To generate a PDF report, simply click the PDF button once. When you do so, Gold Finger will generate a PDF file based on options specified in PDF Report Options, and prompt you to specify a location at which to save the file.

   The PDF reports can contain either a summary of results or the complete set of results, and this can be customized by configuring various options available in PDF Report Options, which can be accessed from the Options menu.

7. Using Basic Options

Gold Finger offers two options that can be used to target specific domain controllers and/or use alternate credentials, (and a third basic option that impacts the aesthetics of the Run button, traditionally known as the Gold Finger button,) accessible via the Options > Basic Options application menu -

1. Target a specific Domain Controller

   Gold Finger can be configured to target a specific domain controller (DC). If this option is checked, Gold Finger will only target the DC specified in the DC Name field. The specified name of a DC must be its NetBIOS name.

   Note - The only requirement is that the specified DC must belong to the target domain and it must also be a Global Catalog.




2. Use specific Alternate Credentials

   Gold Finger can also be configured to use alternate credentials. If this option is checked, Gold Finger will use the specified alternate credentials. The specified username must be in the form a UPN e.g. administrator@corp.local.

   Note - By default, Gold Finger uses the security context of the (logged-on) user account that is currently using Gold Finger.

   
   

3. Use contemporary 'Run' Button

   This option controls the aesthetics of the Run button. If this option is checked (default), the Run button sports a contemporary look. If it is unchecked, the Run button retains its traditional look i.e. the iconic Gold Finger button.

8. Using Advanced Options

Gold Finger offers four advanced options for the Membership Auditor tool, accessible via the Options > Advanced Options application menu -

1. Use 'Display Names' for user accounts - This option controls whether Gold Finger should retrieve and display the Display Name of domain user accounts in the Name field. If checked, it will display the Display Name instead.

2. Include 'System Container' contents - This option controls whether Gold Finger should include the contents of the System container when generating reports. If checked, it will include objects in the System container.

   [ Also include DNS data ] - This sub-option is used to control whether Gold Finger should also include DNS data that resides in the System container when generating reports. If checked, it will also include DNS contents in the System container.



3. Include 'Anonymous' in 'Everyone' - If checked, Gold Finger will include the Anonymous well-known security principal when dynamically evaluating the membership of the Everyone well-known security principal.

4. Display member group nesting details in lieu of description - If checked, in lieu of the default Description column, Gold Finger will display a Nesting column instead, in which it will display nesting details for all security principals that are members of the specified security group by virtue of being a member of any nested security groups.