I'm trying to identify potential permission issues on areas of our AD tree. What I have in mind is something like SysInternals FileMon to monitor object access in Active Directory in real time.
For example: Adding a computer to the domain.
Is there anything like that in the wild? Is there a better way?
If you're talking about a service trying to read...what object? I guess I'm missing what the AD has to do with the object in question. The best tools I've found for reading object access is filemon and regmon, and procmon, all from sysinternals. That normally gives a good overview of what's working and what's not for permission access.
We do have instances of AD policies not being read by systems periodically, and the only thing that seems to work is to: A) reboot. It might read it next time. B) force a refresh of the policy. It seems to be random as to when/how it takes, though, and Windows is simply FANTASTIC at giving feedback on what's happening. Ha ha! C) work around it. For example, assigning printers to certain computers wouldn't work sometimes and would other times, so eventually we just started slapping the freeware AdPrintx on to each workstation we deploy with a batch file in the startup folder that adds default printers while bypassing the random frustration of AD.
I'm guessing you thought of using the event log, which should report permissions issues when trying to edit AD objects.
have you tried Dumpsec. I have seen it used by auditors to get a good overview of the permissions and security settings in an AD.
may be better way would be to take an account and check what kind of permission it has on OUs.
you can use dsrevoke.exe with /report option to get that detail for individual.
Or you can use "effective permissions" as explained here
Did you try LIZA yet? It is a free tool for Active Directory Permission Analysis:
http://www.ldapexplorer.com/en/liza.htm