How to View the ACL on the AdminSDHolder Obect in Active Directory

In Active Directory domains, special protection is provided by default to all members of specific default administrative groups, to minimize the risk of security compromise.

Active Directory Administrative Accounts / Groups protected by AdminSDHolder

Specifically, all direct and indirect (nested) members of a set of specific default administrative groups, including groups such as Domain Admins, Enterprise Admins, Builtin Admins, Accounts Operators, Server Operators and others are provided special protection by the system to reduce the likelihood of someone obtaining unauthorized access on these the user accounts belonging to the members of these groups.

The "system" does this by applying a special security descriptor on a specially designated object called AdminSDHolder. This special object resides in the "System" container in Active Directory domains and can be identified by the distinguished name, cn=AdminSDHolder,cn=System,dc=<domain>.

The security descriptor applied on this object is "protected" meaning that it does not inherit any permissions from any parent object. Furthermore, the security permissions specified in this ACL are specially configured to provide optimal protection for all protected objects.

The system runs a special process called SDProp on domain controllers, and thus process takes the security descriptor (SD) on this object and applies it to all user and computer accounts that effectiely belong to one or more of the special protected administrative groups.

This is intended to ensure that even if the user account of one of the members of one of the administrative groups resides in a specific OU that is within the administrative control of a delegated administrator, that delegated administrator does not have any administrative access on that user account, because if he/she did, it would essentially him/her to elevate their privilege and become a more powerful administrator.


How to View the ACL on the AdminSDHolder Obect in Active Directory

Sometimes administrative personnel need to be able to view the ACL protecting the AdminSDHolder object. Most often this is done to analyze what access is granted on this object, so that one can in turn determine what access is granted on all administrative accounts in the domain.

One of the most commonly used ways to view the ACL on the AdminSDHolder object is to use a tool, such as dsacls, that can display the ACL of an Active Directory object.

Using dsacls to view AdminSDHolder Permissions

Although dsacls can show the ACL of the object in a command-line format, sometimes it is helpful to be able to view the object's ACL in a GUI form, especially if a tool can help analyze the permissions in the object's ACL easily, such as by providing the ability to sort the object's ACL based on permission type.

The 004 edition of our Gold Finger Active Directory Audit Tool is one such Active Directory ACL Viewer/Exporter/Analyzer that can help easily analyze Active Directory ACLs. It can of course also be used to view the ACL of the AdminSDHolder object -

Active Directory ACL Viewer - Simple View

If you click the View Details button, Gold Finger automatically shows all the permissions in their own colums, so that you can then easily analyze the entire ACL by permission type -

Gold Finger 003 Edition - World's Most Capable Active Directory ACL Viewer/Export/Dump Tool

In fact, it can be used to view the ACL of any Active Directory object in any partition. It also makes it very easy to export the entire ACL to a CSV file. It can also show you all the inheritance flags, as well as let you sort the ACL by type, security principal, inheritance and other relevant fields.

It thus helps analyze and maintain Active Directory security in your Windows Server environment.


All IT personnel who are responsible for administering Active Directory environments must be familiar with the AdminSDHolder object and the security specified in its ACL, because it determines the security afforded to all administrative accounts and groups, and that in turn determines the security afforded to the entire Active Directory deployment.

For more information on Active Directory Security, including Top Risks, Mitigations, Guides, Checklists, Tools, Technicals and other resources, please visit - http://www.paramountdefenses.com/active-directory-security

How to View Active Directory ACLs

Active Directory is the foundation of security in Microsoft Windows Server based IT environments.

It stores and protects all vital IT resources such as user accounts, security groups, computer accounts, service connection points etc. which are stored in Active Directory containers and organizational units (OUs.)

Active Directory Permissions in Active Directory Users and Computers Snap-In

Active Directory objects are protected by Active Directory security descriptors, which specify the object's owner and primary group, as well a discretionary access control list (DACL) and a System audit control list (SACL).

An Active Directory object's DACL contains numerous individual security permissions, also known as access control entries (ACEs), and each ACE specifies some access for some security principal, such as a user, a group or a well-known SID (security identifier.) Together all the ACEs in an object's ACL serve to protect the object, and together they determine the actual set of Active Directory effective permissions granted to a user on the object.

IT administrators and IT analysts often have a need to be able to view and analyze Active Directory ACLs.

How to View and Analyzer Active Directory Permissions

This is needed, for example, to inspect the set of all permissions granted in the object's ACL and to try or to try and perform Active Directory security analysis. It is also need to identify advanced Active Directory Security Risks such as Active Directory Privilege Escalation, which can be exploited by insiders to obtain administrative access and take over the Active Directory.

Unfortunately, it is not always easy to analyze Active Directory ACLs because the default Active Directory management tools do not provide lucid and clear insight into Active Directory ACLs. There are tools like dsacls that can help obtain a command-line view, but these views too are hard to easily analyze.

An Active Directory ACL displayed in the Advanced Security Settings Tab

At Paramount Defenses, we have built the world's most capable Active Directory Security Analysis tool called Gold Finger for Active Directory, which amongst other capabilities, features the world's most capable Active Directory ACL Viewer -

Active Directory ACL Viewer

Our ACL Viewer not only displays the complete ACL of an Active Directory with absolute clarity and completeness, it also offers an advanced view wherein it can break down the various permissions specified in an ACLs access-mask into individual columns, thus making it very easy to sort the entire ACL by a specific permissions type, or to sort the ACL by specific inheritance or other flags -

Active Directory ACL Viewer - Detailed View

The detailed view provides instantly actionable security information, which not only saves substantial time but can be easily acted upon to make security enhancements and lock down unauthorized access grants in Active Directory.


A Demo of our Active Directory ACL Viewer

Here is a demo of our Active Directory ACL Viewer, which shows both the simple view and the detailed view mentioned above -




Our Active Directory ACL Viewer can be used to view, analyze and export the ACL of any Active Directory object in any Active Directory partition. A related capability, the ACL Exporter can also be used to dump the ACLs of all objects in an Active Directory tree, and the Permissions Analyzer capability can be used to find out who has what permissions in Active Directory. In addition, its effective permissions capability can be used to determine effective permissions in Active Directory, which is the only way to correctly audit Active Directory permissions, and its effective delegated access reporting capability can be used to find out who is delegated what administrative tasks where in Active Directory.

For more information on Gold Finger's ACL Viewer capabilities, and to download a free trial, please visit our website, or Google "Gold Finger for Active Directory"

How to View Active Directory Permissions

Active Directory permissions store and protect Active Directory objects from unauthorized access, and enable IT administrators to precisely control who has access to what in Active Directory.

Active Directory permissions are specified in Active Directory ACLs and IT admins often have a need to be able to view, analyze and export Active Directory permissions, whether to analyze access grants, or to lock down Active Directory access or to control access to Active Directory content.

How to View Active Directory Permissions

The default view to view Active Directory permissions is via the Security Tab that can be accessed by right-clicking on objects in Active Directory Users and Computers Snap-In or in the Active Directory Administrative Center Console.

However, it can be a challenge to view and analyze Active Directory permissions using the Security Tab, because it unfortunately does not provide a complete and easily analyzable view of the ACL of the Active Directory object -

Active Directory Advanced Permissions

For example, the most common problem with it is that it is very difficult to find out exactly which security permissions are granted by which access control entries (ACEs) in the ACL, and that makes it very difficult to analyze Active Directory permissions, especially when you are trying to find out who is delegated what access on an Active Directory object, or when performing an Active Directory delegation audit.

This information can also be obtained using other Microsoft security tools such as dsacls, but even with dsacls, it is not easy to get an easily sortable breakdown of all the permissions granted by each ACE in an object's Active Directory object's ACL. There are also some 3rd party tools like LIZA that provide an advanced view, but they do not provide a break down of all the individually possible permissions in an Active Directory object's ACL.

How to Easily View Active Directory Permissions

With our Gold Finger Microsoft Active Directory Audit Tool, IT administrators can now instantly view, analyze and export ACLs with unmatched ease and clarity, as well as obtain detailed views of the individual permissions granted in Active Directory ACLs -

Active Directory ACL / Permissions Viewer

The ability to view the ACL in its entirety makes it much easier to analyze ACLs and permissions, and the availability of the detailed view makes it very easy to identify which ACEs in the ACL end up granting a specific permission type, such as Extended Rights permissions, or Write Property permissions.

This information is also often needed when performing an Active Directory delegation audit, or when relying on an Active Directory Audit Checklist to perform an Active Directory Audit.

Armed with this information, IT admins can easily and instantly analyze Active Directory ACLs and make accurate and well-informed decisions based on clear and detailed insight into all aspects of access rights granted in an Active Directory object's ACL.

For more information on the Active Directory ACL Viewer capabilities of our Gold Finger audit tool for Active Directory, including a free 21-day trial, please visit - http://www.paramountdefenses.com/products/active-directory-audit-tool/capabilities/acl-viewer-and-exporter.html.

How to view Active Directory ACLs and Permissions

Active Directory stores and protects vital content such as user accounts, security groups, computer accounts, and service connections points. Content in the Active Directory is typically stored in OUs and containers and all content is protected by Active Directory ACLs.

Each Active Directory ACL contains one or more ACEs, each of which grants or denies some Active Directory security permission for a user, an Active Directory security group or for a well-known SID such as Everyone, Authenticated Users etc.

Active Directory ACL

IT admins often need to be able to view Active Directory ACLs as well as export/dump Active Directory permissions so as to be able to analyze Active Directory security from time to time.

IT admins usually utilize tools like dsacls, dsrevoke, acldiag etc to try and view AD ACLs but these tools seldom provide the granularity that is needed to view and analyze AD ACLs completely.

The Worlds Best Active Directory Audit Tool

The Gold Finger Active Directory Audit Tool from Paramount Defenses is the world's best Active Directory security analysis tool. One of its capabilities includes an Active Directory ACL viewer -

Active Directory Audit Tool

 
Gold Finger's ACL Viewer is the world's most capable ACL viewer because in addition to displaying the complete ACL, it can break down the permissions and the flags fields of an ACL into individual columns. This allows administrators to be able to easily sort Active Directory ACLs by permission type and thus be able to instantly audit Active Directory rights identify all ACEs that grant a specific type of permission, whether directly, or as a combination of permissions.

In addition to an ACL viewer, Gold Finger also features other Active Directory security analysis and Active Directory Audit capabilities such as the ability to determine Active Directory effective permissions, and generate fully automated effective Active Directory delegated access reports.

When it comes to Active Directory Audit Tools, Gold Finger is most simply the world's most powerful and capable Active Directory audit tool. No other tool in the world comes even close.

For more information, and to download a free trial, please visit -
http://www.paramountdefenses.com/goldfinger.