Product Reviews

No Secrets with DSA

Manage security with NetIQ’s Directory Security Administrator.

Think you know who has access to what on your network? Think your Active Directory permissions are as tight as a drum? With NetIQ’s Directory Security Administrator, you may want to think again.

I installed DSA on a test network and found a Test group that was a member of Enterprise Admins. Yikes! I wonder what I was checking when I set up that little gem. What’s more, when I used the handy search tool built into DSA, I found that a new (non-IT) employee had the same rights!

Installation of DSA took all of five minutes on my server, even when I added the Active Directory Component, which gives Active Directory Users and Computers a much-needed shot in the arm. With DSA installed, I was able to right-click on a user, select either Show Permissions or Search for Permissions, and be instantly brought to the DSA Permissions Explorer. This rocks! Oh, sure, I could have right-clicked the user, selected Properties and then clicked the Security tab, but with DSA, I got there faster.

If I right-click a specific OU, such as my IS OU, I can search for permissions or edit security. When editing, I get the normal Properties box but then if I select Enterprise Admins and click Advanced, I’m brought to the Access Control Settings, which is the heart of DSA. From here, I can add, edit or remove my permission entries or even adjust auditing.

DSA, particularly the DSA Explorer, appears as a three-pane window similar to AD Users and Computers. The left and right panes look virtually identical, but under the right pane appears a third pane that lists the permissions. Here’s where you can see what’s inherited and what the permissions apply to; if you right click an entry, you can even restore the Access Control Entry (ACE) order (which actually works like a refresh). Further, if you click the Browse button, you can search for entries that apply to only one object.

I was a bit perturbed when I opened the Users folder and tried to search for permissions on a particular user. When right-clicking the user and selecting Search for Permissions, I got the message, “The security principal is not a member of the forest that you are viewing….” I begged to differ. After all, I wanted to make sure that my new hire was no longer a member of Enterprise Admins (too much power in the hands of someone new is not a good thing!). To get around this, I simply opened the DSA search tool and entered my new employee as a security principle, which let me see what I needed.

DSA has a command line interface that will satisfy even the most ardent CLI user. You can launch a DSA search, specify values for search criteria and/or run unattended searches for exporting to CSV files. You can even script or set up batch files.

In sniffing around the NetIQ site, I checked out the support for this product. It has a Knowledge Base that you can enter your question into, but my experience was that unless you typed in very specific keywords, you might not find what you were seeking.

Make your life as a network or security admin a little easier and pick up DSA. I guarantee you’ll find at least one skeleton lurking in the shadows!

About the Author

Jim Idema, MCSE, CNA, is president of Idema Enterprises Computer Consulting, a West Michigan-based computer consulting firm specializing in networking solutions to business.


comments powered by Disqus

Subscribe on YouTube