No, there's no way to get that data out of AD. Groups are injected in to your token at logon. The target device then looks at the token you present to do AuthZ.
You could turn on LDAP query logging and see if you can catch any LDAP integrated apps that do direct queries, but, that's only going to give you a slice of the answer and the data won't be real easy to consume. Thanks, Brian Desmond br...@briandesmond.com<mailto:br...@briandesmond.com> w - 312.625.1438 | c - 312.731.3132 From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of James Hill Sent: Tuesday, December 17, 2013 3:59 PM To: ntsysadm@lists.myitforum.com Subject: [NTSysADM] Auditing AD Security Group usage I'm currently working in an AD environment that has been poorly documented. In particular there are a large number of security groups whose usage is unknown. We initially looked at the last modified attribute as that at least let us know about groups that are recently modified. To find what they are actually used for does not appear to be a simple task. We have used some other tools such as shareenum to check for security groups that are used for share permissions. To try and simplify the process I'm wondering if it is possible to audit where specific group membership queries are coming from? We could then investigate those devices etc individually to see what they use the security group for. Any other suggestions are welcome! James.
