Recently i was pondering if it is possible to determine all computers a specific aduser has rights to logon to in the domain? I wasnt sure if i should start with retrieving all adcomputers or find all groups the user is a member of then compare?
I assumed in ad there was some way to have it tell me this aduser object does not have logon rights to this adcomputer without querying the machine directly.
As the kb mentions, typically rights are by default assigned to these local server groups:
By default, the members of the following groups have this right on workstations and servers:
Administrators
Backup Operators
Users
Then a user or group is typically added to these groups, normally ‘Administrators’. Some companies will create Local\Global Active Directory groups and then assign the group so that Active Directory can be queried, but by default there isn’t a method to determine what resources are assigned to a user. It’s actually one of the biggest issues in IT security is there is no link to fully determine what is assigned to a user, solutions need to be built to create as much audit capabilities.