No Secrets with DSA
Manage security with NetIQ’s Directory Security Administrator.
Think you know who has access to what on your network? Think your Active
Directory permissions are as tight as a drum? With NetIQ’s Directory Security
Administrator, you may want to think again.
I installed DSA on a test network and found a Test group that was a member
of Enterprise Admins. Yikes! I wonder what I was checking when I set up
that little gem. What’s more, when I used the handy search tool built
into DSA, I found that a new (non-IT) employee had the same rights!
Installation of DSA took all of five minutes on my server, even when
I added the Active Directory Component, which gives Active Directory Users
and Computers a much-needed shot in the arm. With DSA installed, I was
able to right-click on a user, select either Show Permissions or Search
for Permissions, and be instantly brought to the DSA Permissions Explorer.
This rocks! Oh, sure, I could have right-clicked the user, selected Properties
and then clicked the Security tab, but with DSA, I got there faster.
If I right-click a specific OU, such as my IS OU, I can search for permissions
or edit security. When editing, I get the normal Properties box but then
if I select Enterprise Admins and click Advanced, I’m brought to the Access
Control Settings, which is the heart of DSA. From here, I can add, edit
or remove my permission entries or even adjust auditing.
DSA, particularly the DSA Explorer, appears as a three-pane window similar
to AD Users and Computers. The left and right panes look virtually identical,
but under the right pane appears a third pane that lists the permissions.
Here’s where you can see what’s inherited and what the permissions apply
to; if you right click an entry, you can even restore the Access Control
Entry (ACE) order (which actually works like a refresh). Further, if you
click the Browse button, you can search for entries that apply to only
I was a bit perturbed when I opened the Users folder and tried to search
for permissions on a particular user. When right-clicking the user and
selecting Search for Permissions, I got the message, “The security principal
is not a member of the forest that you are viewing….” I begged to differ.
After all, I wanted to make sure that my new hire was no longer a member
of Enterprise Admins (too much power in the hands of someone new is not
a good thing!). To get around this, I simply opened the DSA search tool
and entered my new employee as a security principle, which let me see
what I needed.
DSA has a command line interface that will satisfy even the most ardent
CLI user. You can launch a DSA search, specify values for search criteria
and/or run unattended searches for exporting to CSV files. You can even
script or set up batch files.
In sniffing around the NetIQ site, I checked out the support for this
product. It has a Knowledge Base that you can enter your question into,
but my experience was that unless you typed in very specific keywords,
you might not find what you were seeking.
Make your life as a network or security admin a little easier and pick
up DSA. I guarantee you’ll find at least one skeleton lurking in the shadows!
About the Author
Jim Idema, MCSE, CNA, is president of Idema Enterprises Computer Consulting, a West Michigan-based computer consulting firm specializing in networking solutions to business.