🕵️ Active Directory Groups audit w. Neo4J

adriens - May 16 '23 - - Dev Community

🧐 About

Active Directory is a crucial part of many Information Systems as it manages both authentication and access management.

In this article, we'll focus on Active Directory group management analysis.

🍿 Demo

💰 Return On Investment

With this data, we are now able to :

  • 📏 Produce classification
  • 🔮 Make predictions
  • 🕸️ Cross checking with third party identity management services

🔭 Further with groups

We will link these datas (ie. relationships) on top of our our digital identity management, see below:

💡 Group tuning & Minimum spanning tree

Having large set of groups has impacts on performances. Getting this data as a graph makes it possible to use graph algorithms to see if we can improve group assignment design thanks to Minimum spanning tree.

📷 Screenshots gallery

We often ask ourselves the same questions
Below some still screenshots of our experience:

🔬 Drilling down into someone's groups

Image description

⚖️ Member & Guest accounts

Guest users have default restricted directory permissions. They can manage their own profile, change their own password, and retrieve some information about other users, groups, and apps. However, they can't read all directory information. B2B guest users are not supported in Microsoft Teams shared channels.

Let's see how they are implemented:

// Groupes dont les 2 agents et les 2 guests du GLIA sont membres
MATCH (a:AD_agent {name:"3004XXX"})-[ia:IS_MEMBER_OF]->(g:AD_group)
<-[ig:IS_MEMBER_OF]-(b:AD_agent {name:"2999XXX"})
OPTIONAL MATCH (gu:AD_guest {name:"pXXX"})-[ip:IS_MEMBER_OF]->(g)
OPTIONAL MATCH (gue:AD_guest {name:"dXXX"})-[id:IS_MEMBER_OF]->(g)
RETURN a,g,b,gu,gue,ia,ig,ip,id
Enter fullscreen mode Exit fullscreen mode

Image description

🐘 Biggest groups

Image description

🏋️‍♂️ Account having the largest amount of groups

Getting a large amount of groups can mean many things, so being able to analyze this is worth taking a glance:
Image description

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .