How to View Active Directory Permissions Easily and Instantly

Folks,

In today's post, I will show you just how easy it is to view, analyze and export Active Directory security permissions / access rights/ ACLs with the world's best Active Directory ACL Viewer and ACL Exporter. IT admins often have a need to be able to view Active Directory permissions / ACLs and analyze them to find out who has what rights on an Active Directory object, or to find out who is delegated what rights on an Active Directory object.

Active Directory Security Permissions

How to View Active Directory Permissions Easily

The ACL Viewer capability of the Gold Finger Active Directory Audit Tool lets you instantly view, analyze and export the permissions granted on any Active Directory object at the touch of a button.

How to View Active Directory Permissions Easily

Here's how easy it is to view the security permissions in the ACL of an Active Directory object -

1. Launch Gold Finger
2. Select the ACL Viewer Capability
3. Select the report - View the ACL of an Active Directory object
4. Specify the DN of the Active Directory object in the scope field
5. Press the Gold Finger button.

That's it.

Gold Finger instantly retrieves and displays the complete ACL of the Active Directory object, including all the fields listed below.

Active Directory Permissions Fields Displayed -

1. Type - Allow / Deny
2. Security Principal
3. Permissions  
4. Attribute/Class
5. Inheritance
6. Applies To

Detailed Security Permissions Analysis View

Gold Finger is the also the world's only ACL Viewer that displays each of the thirteen unique Active Directory permissions in their own individual columns, thus letting you easily sort the entire ACL of the Active Directory object by permission-type and thus find all ACEs that grant a specific kind of permission, such as Create-Child, or Extended-Right etc.

Active Directory Permissions Displayed in Individual Columns

List of Active Directory Security Permissions Displayed in Individual Columns

In fact, here is the list of the 13 different types of Active Directory Security permissions, that Gold Finger displays in individual columns for instant, reliable and effortless analysis -

1. List Child (LC) permissions
2. List Object(LO) permissions
3. Read Control(RC) permissions
4. Read Property (RP) permissions
5. Write Property (WP) permissions
6. Create Child(CC) permissions
7. Delete Child(DC) permissions
8. Standard Delete (SD) permissions
9. Delete Tree (DT) permissions
10. Write DACL (WD) permissions
11. Write Owner (WO) permissions
12. Extended Rights (CR) permissions
13. Validated Write (SW) permissions

Gold Finger can be used to view Active Directory permissions easily and in fact can be used to view the ACL of any object in any Active Directory domain partition, as well as objects in the Schema partition and the Configuration partitions.

For instance, Gold Finger can be used to view the ACL of the root of the Configuration partition, or any Class-Schema or Attribute-Schema object in the Schema partition or any object in any domain partition, such as the System container, the AdminSDHolder object, the Users container, or any OU, user account, computer account, security group, service connection point etc. of your choice.

This information can be used to assess delegated rights in Active Directory, verify provisioned access in Active Directory, as well as help when you are trying to audit delegated access in Active Directory.

In this manner, Gold Finger can help you perform detailed Active Directory Security Analysis, and as well as easily sort and export the ACL of any Active Directory object in your environment.

For more information, and to download a free 21-day trial, please visit - http://www.paramountdefenses.com/goldfinger_capabilities_acl_viewer_and_exporter_for_active_directory.html

How to easily view, export and analyze the security permissions / access rights in an Active Directory (AD) Access Control List (ACL)

IT personnel often need to be able to view, export and analyze Active Directory ACLs to assess, audit, manage, control and lock-down security permissions granted to various security principals on an Active Directory object, and to perform Active Directory Security Analysis



Active Directory ACL Editor View - Advanced Security Settings



For instance, IT personnel often need to be able to identify -

1. All ACEs that Deny permissions
2. All ACEs that apply to a specific object type, such as to all User objects
3. All ACEs that grant permissions for a specific security principal, such as Domain Admins
4. All ACEs that are inherited but marked as Inherit-Only
5. All ACEs that grant a specific type of permission, such as Extended Right permissions

Active Directory Users and Computers / Administrative Center are insufficient

The default means of viewing and analyzing Active Directory ACLs is via the Security Tab of either the Microsoft Active Directory Users and Computers snap-in or via the Administrative Center snap-in.

Active Directory Users and Computer Snap-In - ACL Editor | ACL Viewer

In either of these cases, the default views are not very user-friendly because they do not display the ACL as is, so one has to resort to using the Advanced button to view the underlying permissions in detail.

Even in the Advanced view, it is not very easy to view the entire ACL and it is by no means possible to be able to sort the ACL by the individual security permissions contained in a single access control entry (ACE.)

The fact that many ACEs typically grant multiple permissions necessitates the ability to be able to easily view the individual permissions specified in an ACE and sort the ACL by individual permission types, but this is not possible using Microsoft's default UIs for ACL viewing.



dsacls.exe and 3rd party tools (e.g. LIZA) are also insufficient

The dsacls command-line utility is not of much help in this regard in that even thought it can be used to dump an object's ACL to the console, it cannot render a view wherein individual permissions are displayed in individual columns for easy viewing and analysis. Some 3rd party tools (e.g. LIZA) offer some progress in that it is able to break down the permissions but only by a few generic permission types. It falls short in that it cannot break down the entire ACL by each of the 13 permission types in Active Directory.


Gold Finger's ACL Viewer Capability Completely Breaks Down Individual Permissions in Active Directory ACLs

In that regard, the ACL Viewer capability of the Gold Finger Active Directory Security Audit Tool delivers the best view into Active Directory ACLs for quick and complete ACL analysis -

Gold Finger's Detailed Active Directory ACL Viewer

In particular, it not only displays each field of an Active Directory ACL in a separate column, it also has an Detailed view (activated by pressing Alt-D) that further breaks down the permission field into 13 individual columns, one each for each of the 13 types of permissions available in Active Directory.

By offering this ability, it finally lets IT personnel easily analyze Active Directory ACLs by letting them sort the entire ACL by not only the basic ACE fields, but also sort the entire Active Directory ACL by individual permission types, such as Extended Rights, or Modify Permissions etc.

It thus empowers IT personnel to be able to, for the first time ever, obtain complete clarity and insight into the ACL of any Active Directory object in any directory partition, quickly and effortlessly.


Benefits

For instance, if an IT administrator wanted to identify all the ACEs in an object's ACL that grant Delete Tree permissions, it makes accomplishing this objective as easy as touching a button.

In order to do so, the IT administrator would simply sort the ACL by the Delete Tree permission column, and by doing so be able to instantly identify all ACEs that grant this permission, either as an individual permission, or as a combination of permissions.

Not only does Gold Finger provide complete clarity into the various ACEs and permissions in an Active Directory object's ACL, it also lets IT personnel instantly export that ACL to a CSV file. This makes it possible to document and archive the ACL of an object.

In addition, Gold Finger can also be used to target specific DCs so in situations where replication issues might exist, it can help determine the differences between different ACLs simply by obtaining and comparing two versions of the same Active Directory object's ACL from two different DCs.

Gold Finger's ACL Viewer is thus the most valuable and capable Active Directory ACL Viewer as well as the world's most capable Active Directory Permissions Analyzer.

For additional details, please visit - http://www.paramountdefenses.com/goldfinger

How to View and Analyze Active Directory (AD) Object ACLs Using Gold Finger

In this blog, as we begin coverage of how to view and analyze Active Directory security permissions, ACLs and SACLs, we will make extensive use of the Gold Finger Active Directory Security/ACL/SACL Viewer Tool. It would thus be helpful to have a basic understanding of how to use Gold Finger's automated Active Directory security permissions/ACL/SACL viewing and analysis capabilities.

How to View and Analyze Active Directory (AD) Object ACLs Using Gold Finger

The following is thus a brief demo that shows how to use Gold Finger to view and analyze Active Directory security permissions, ACLs and SACLs.

How to View and Analyze Active Directory Security Permissions/Rights, ACLs and SACLs

In addition to being able to view and analyze Active Directory security permissions/rights, ACLs and SACLs, Gold Finger can also generate Active Directory delegated access reports that show you who is delegated what access where and how.

Once you have gained familiarity with how to use Gold Finger to view and analyze Active Directory security rights/permissions, ACLs and SACLs, it will be much easier to follow various examples that we shall share as we cover this subject.


The WikiLeaks Security Incident and the lastest Anonymous Cyber-Attacks on Israel all demonstrate the importance of cyber security and IT security today. When it comes to the security of the IT infatructures of organization, Active Directory is at the foundation of their security and thus is mission-critical to global security today. In fact, the most the Most Powerful and Expensive Weapon in the World is related to Active Directory security as well.

How to View and Analyze Active Directory ACLs and SACLs

Active Directory stores and protects critical IT resources like user and computer accounts, passwords, security groups and security policies, which are stored in the form of Active Directory objects.

Each Active Directory object is secured by the means of a security descriptor, which is comprised of a discretionary access control list (ACL) an System Access Control List (SACL), a Group field and an Owner field. Each ACL in turn contains many access control entries (ACEs). Each ACE specifies some security permissions for some security principal (e.g. user, computer, group, well-known principals.)

In order to maintain security, IT personnel often need to be able to analyze Active Directory ACLs such as to find out and lock down who is granted what access on individual Active Directory objects.

ACL Editor in Active Directory Users and Computers

The default way to view Active Directory ACLs is via the ACL Editor/Viewer that is built into the Microsoft Active Directory Users and Computers tool -

 

Unfortunately, the view available in the ACL Editor is substantially insufficient to perform any kind of Active Directory ACL analysis because one is unable to view the individual elements of the access control entires (ACEs) that comprise the ACL of the Active Directory object.

DSACLs to Analyze Active Directory ACLs

 

The Microsoft command-line tool DSACLS provide some additional detail that is somewhat useful in performing Active Directory ACL analysis, but it is still cumbersome because you need to export the contents to perform any useful analysis and even then, it does not break down the individual permissions contained in the access mask field, so you have to do that manually, which can be time consuming, and prone to error.

 

 

Scripts to Analyze Active Directory ACLs

 

It is also not very easy to write scripts to try and analyze Active Directory ACLs, because detailed ACL analysis involves looking into the security mask of all ACEs, analyzing analyzing flags, resolving SIDs, etc. In addition, because there can be multiple permissions specified in a single ACE, determining which ACEs grant which permissions can be complicated.

Performing all of these steps can take a very long time, involve a lot of effort and knowledge. As a result, analyzing Active Directory ACLs in detail can be difficult for most IT personnel.

 

A Dedicated and Automated ACL Analysis Tool

 

In this blog, we will take a look at how to use a dedicated and automated, advanced Active Directory ACL Viewer and ACL Analysis Tool to easily and efficiently analyze Active Directory ACLs.

A dedicated ACL Analysis Tool can help easily analyze Active Directory ACLs. and look into every field of an object's ACL, including the individual permissions specified in every ACE.

With a dedicated Active Directory ACL Analysis Tool, IT personnel have the ability to instantly analyze the ACL of any Active Directory object in any partition, and use this information to identify security vulnerabilities, as well as lock down and maintain secure access to Active Directory content.

- Andrew