Skip to main content

No History for AD Group Membership - Hitachi ID Group Manager

Business Challenge

Active Directory tracks membership in security groups and uses this membership to connect users to file-system and other resource access control lists (ACLs). In short, placing a user into a security group is the main mechanism for granting security rights to users in Windows.

Windows does not, however, track the history of security groups. There is no way to know when a user was attached to a security group, who authorized the change and why. This means that Windows group membership - by itself - is inadequate for forensic analysis.

Hitachi ID Group Manager Solution
  • Group Manager implements a work-flow to manage group membership. Every change has a requester, a recipient and at least one authorizer.
  • Change requests are logged indefinitely. It is always possible to find out:
    • Who requested a change.
    • Who authorized a change.
    • What reasons were given for the request and for the approval.
    • When the change took place.
    This information is retained indefinitely -- even if the group membership has since been revoked.

Using Group Manager, organizations establish an accountable log of security changes and are able to carry out forensic analysis, if required.

Read More:

page top page top