Hi, how ´re you?
I have a problem with my bigfix relevance queries because i couldn´t find a way to list al auditing permissions of a OU path like this: “CN=Schema,CN=Configuration,DC=group,DC=pepito,DC=com”.
Can you help me with this plis?
That’s probably not something that would be visible to a BESClient process; and if it’s visible at all, it would likely only be visible on a Domain Controller.
What’s the use-case for that? In my opinion BigFix is better for the use-case of “applying & verifying a configuration that must be repeated on thousands of clients”, not so much for “a one-time configuration that is applied once on a forest”.
i need it because i have to assurance that all permissions on a list of OUs are correctly assigned
Right but you do realize BigFix is NOT an AD tool, right?! In fact, to certain extend BigFix on compliance side is somewhat of competing way to enforce settings/make changes…
The problem you would have is repetition. Let’s say you create a property that does this and send it to 1000 machines, you are causing quite a flood cause instead of one machine reporting one OU permission, you are making 1000 machines send 1000 different AD queries and creating flood of traffic. Imagine now that you hit OU with thousands and thousands of permissions (accounts/groups) and you do find a way to retrieve - imagine the amount of load this would put on AD/Domain Controllers… this can easily cause an issue and bring down entire domain!
I understand that so I am going to run it on 1 machine and on specific Ou, but I need it so I am asking if there is a way to do it.
If you have a PowerShell script or such that can retrieve the permissions, then yes you could create an Action to deploy that script onto one host, save the results into a text file, and bring back the text file content in an Analysis. This is a method we sometimes refer to as ‘leaving breadcrumbs’.
Since the script would run as LocalSystem, it’s likely that only a Domain Controller could run the action successfully.
1 Like