March 6, 2013

How to View Active Directory Permissions

Active Directory permissions store and protect Active Directory objects from unauthorized access, and enable IT administrators to precisely control who has access to what in Active Directory.

Active Directory permissions are specified in Active Directory ACLs and IT admins often have a need to be able to view, analyze and export Active Directory permissions, whether to analyze access grants, or to lock down Active Directory access or to control access to Active Directory content.

How to View Active Directory Permissions

The default view to view Active Directory permissions is via the Security Tab that can be accessed by right-clicking on objects in Active Directory Users and Computers Snap-In or in the Active Directory Administrative Center Console.

However, it can be a challenge to view and analyze Active Directory permissions using the Security Tab, because it unfortunately does not provide a complete and easily analyzable view of the ACL of the Active Directory object -

Active Directory Advanced Permissions

For example, the most common problem with it is that it is very difficult to find out exactly which security permissions are granted by which access control entries (ACEs) in the ACL, and that makes it very difficult to analyze Active Directory permissions, especially when you are trying to find out who is delegated what access on an Active Directory object, or when performing an Active Directory delegation audit.

This information can also be obtained using other Microsoft security tools such as dsacls, but even with dsacls, it is not easy to get an easily sortable breakdown of all the permissions granted by each ACE in an object's Active Directory object's ACL. There are also some 3rd party tools like LIZA that provide an advanced view, but they do not provide a break down of all the individually possible permissions in an Active Directory object's ACL.

How to Easily View Active Directory Permissions

With our Gold Finger Microsoft Active Directory Audit Tool, IT administrators can now instantly view, analyze and export ACLs with unmatched ease and clarity, as well as obtain detailed views of the individual permissions granted in Active Directory ACLs -

Active Directory ACL / Permissions Viewer

The ability to view the ACL in its entirety makes it much easier to analyze ACLs and permissions, and the availability of the detailed view makes it very easy to identify which ACEs in the ACL end up granting a specific permission type, such as Extended Rights permissions, or Write Property permissions.

This information is also often needed when performing an Active Directory delegation audit, or when relying on an Active Directory Audit Checklist to perform an Active Directory Audit.

Armed with this information, IT admins can easily and instantly analyze Active Directory ACLs and make accurate and well-informed decisions based on clear and detailed insight into all aspects of access rights granted in an Active Directory object's ACL.

For more information on the Active Directory ACL Viewer capabilities of our Gold Finger audit tool for Active Directory, including a free 21-day trial, please visit - http://www.paramountdefenses.com/products/active-directory-audit-tool/capabilities/acl-viewer-and-exporter.html.