IT personnel often need to be able to view, export and analyze Active Directory ACLs to assess, audit, manage, control and lock-down security permissions granted to various security principals on an Active Directory object, and to perform Active Directory Security Analysis
Active Directory ACL Editor View - Advanced Security Settings |
For instance, IT personnel often need to be able to identify -
- All ACEs that Deny permissions
- All ACEs that apply to a specific object type, such as to all User objects
- All ACEs that grant permissions for a specific security principal, such as Domain Admins
- All ACEs that are inherited but marked as Inherit-Only
- All ACEs that grant a specific type of permission, such as Extended Right permissions
Active Directory Users and Computers / Administrative Center are insufficient
The default means of viewing and analyzing Active Directory ACLs is via the Security Tab of either the Microsoft Active Directory Users and Computers snap-in or via the Administrative Center snap-in.
Active Directory Users and Computer Snap-In - ACL Editor | ACL Viewer |
In either of these cases, the default views are not very user-friendly because they do not display the ACL as is, so one has to resort to using the Advanced button to view the underlying permissions in detail.
Even in the Advanced view, it is not very easy to view the entire ACL and it is by no means possible to be able to sort the ACL by the individual security permissions contained in a single access control entry (ACE.)
The fact that many ACEs typically grant multiple permissions necessitates the ability to be able to easily view the individual permissions specified in an ACE and sort the ACL by individual permission types, but this is not possible using Microsoft's default UIs for ACL viewing.
dsacls.exe and 3rd party tools (e.g. LIZA) are also insufficient
The dsacls command-line utility is not of much help in this regard in that even thought it can be used to dump an object's ACL to the console, it cannot render a view wherein individual permissions are displayed in individual columns for easy viewing and analysis. Some 3rd party tools (e.g. LIZA) offer some progress in that it is able to break down the permissions but only by a few generic permission types. It falls short in that it cannot break down the entire ACL by each of the 13 permission types in Active Directory.
Gold Finger's ACL Viewer Capability Completely Breaks Down Individual Permissions in Active Directory ACLs
In that regard, the ACL Viewer capability of the Gold Finger Active Directory Security Audit Tool delivers the best view into Active Directory ACLs for quick and complete ACL analysis -
Gold Finger's Detailed Active Directory ACL Viewer |
In particular, it not only displays each field of an Active Directory ACL in a separate column, it also has an Detailed view (activated by pressing Alt-D) that further breaks down the permission field into 13 individual columns, one each for each of the 13 types of permissions available in Active Directory.
By offering this ability, it finally lets IT personnel easily analyze Active Directory ACLs by letting them sort the entire ACL by not only the basic ACE fields, but also sort the entire Active Directory ACL by individual permission types, such as Extended Rights, or Modify Permissions etc.
It thus empowers IT personnel to be able to, for the first time ever, obtain complete clarity and insight into the ACL of any Active Directory object in any directory partition, quickly and effortlessly.
Benefits
For instance, if an IT administrator wanted to identify all the ACEs in an object's ACL that grant Delete Tree permissions, it makes accomplishing this objective as easy as touching a button.
In order to do so, the IT administrator would simply sort the ACL by the Delete Tree permission column, and by doing so be able to instantly identify all ACEs that grant this permission, either as an individual permission, or as a combination of permissions.
Not only does Gold Finger provide complete clarity into the various ACEs and permissions in an Active Directory object's ACL, it also lets IT personnel instantly export that ACL to a CSV file. This makes it possible to document and archive the ACL of an object.
In addition, Gold Finger can also be used to target specific DCs so in situations where replication issues might exist, it can help determine the differences between different ACLs simply by obtaining and comparing two versions of the same Active Directory object's ACL from two different DCs.
Gold Finger's ACL Viewer is thus the most valuable and capable Active Directory ACL Viewer as well as the world's most capable Active Directory Permissions Analyzer.
For additional details, please visit - http://www.paramountdefenses.com/goldfinger