Curious if anyone has tried to setup a rule in NTP (or NTM) to detect when a user’s inheritance is removed. Ideally, the only time that should happen is when a user is made a member of a protected/elevated group and the SDProp process replaces inheritance with the AdminSDHolder ACL. We are trying to see if we can detect if someone were to manually remove a user’s inheritance.
Hey Art! Just ran a quick test in the lab and you can pick this up with both NTM and NTP. Here is the resultant event in both tools:
You’ll see in both it is just captured as an AD Object change with Access Inheritance modified in the operation field or the before/after attribute value fields. It doesn’t seem like this can be easily filtered in NTM today, but NTP you should be able to leverage the Advanced Filters. I’ll get this in front of the team to see if we can improve the parsing here to make it easier to find.
NTP:
NTM:
I actually found the same information in my testing as well. I had not tried the advanced filters in NTP but I will try that, at least we could alert on that.
1 Like