ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to determine where all a domain security group has permissions in our Active Directory?


Member

Posts: 15
Date: Dec 3, 2010
How to determine where all a domain security group has permissions in our Active Directory?
Permalink  
 


Hello Everyone,

As a part of our internal security assessment review process, we would like to find out where all some of our delegated admin domain security groups have permissions in our Active Directory. We are basically trying to find out who has what rights in our Active Directory, and this seemed like a logical place to start.

If you have any suggestions as to how we could find out where all security groups might have permissions in Active Directory, I would appreciate your input.

Thank you,
Joe



__________________
Don't mess with my Alienware!


Member

Posts: 10
Date: Jun 15, 2011
How to determine where all a domain security group has permissions in our Active Directory?
Permalink  
 


Hi Joe,

The answer to your question depends on whether you are trying to find out who has what permissions in your Active Directory (AD), or whether you are trying to find out who has what effective-permissions in your AD?

I say that because there is a very subtle yet very big difference between the two.

As you know, in any AD, there are thousands of permissions granted to many users, groups and well-known security principals. These permissions reside in the access control lists (ACLs) of AD objects, and many of them are there by default.

In addition, when we delegate access, we end up introducing more permissions in AD. For example, when we delegate authority, we typically delegate it on an OU, and as a result, a number of permissions get added in the ACL of all objects in that OU. However, depending on the delegation not all permissions may be applicable on every object.

Also, because permissions can be of different types (allow/deny), no single permission by itself controls/influences what a user/member of a group can do, but in fact, all permissions together control/influence what someone can do.

That is why there is a difference between finding/listing where all a group has permissions and trying to determine what access members of that group actually have.

If you are wanting to find out who can do what in your AD, then you need to determine what is called effective/resultant-access in Active Directory.

On the other hand, maybe you are just wanting to find out where all a group has permissions so that you can remove any explicit permissions granted to that group, in which case it is sufficient to perform a basic permissions search.

Performing a basic permissions search is easy, but determining resultant-access in AD is unfortunately substantially more difficult because AD's security model is quite complex.

Just remember the mantra Where all a user has permissions IS NOT EQUAL TO What all the user can actually do.

/Simone



-- Edited by Simone on Wednesday 15th of June 2011 05:22:52 PM

__________________

Women's eyes have pierced more hearts than ever did the bullets of war.



Member

Posts: 6
Date: Jul 20, 2012
RE: How to determine where all a domain security group has permissions in our Active Directory?
Permalink  
 


Hi Simone,

I must say that thanks for your informative post. We've been struggling with this issue for quite some time now, and thus have come to see the problem a little closely for ourselves.

We initially only used to look for permissions that gave someone Reset Password rights, but then one day, while trying to validate our findings, we realized that a user who was not supposed to be able to have this access, had this access, and none of the permissions we had evaluated gave him that access, so we were a bit perplexed.

As we started looking deeper, we came across a permission granted to a group, which had a nested group in it, and this user belonged to that group, and this permission was for All Extended Rights. Then it dawned on us that we had to take all the other permissions into account as well!

We're still looking for an easy way to solve this critical problem, which quite frankly has become a headache to solve, so I'd be curious to know how you are solving this problem in your environment.

Thanks,

George.



__________________


Member

Posts: 10
Date: Feb 5, 2013
RE: How to determine where all a domain security group has permissions in our Active Directory?
Permalink  
 


Hi George,

Trying to find out who really has what effective rights in Active Directory is a very difficult problem.

I think most Windows and Active Directory admins and IT analysts have struggled with this for quite some time now. This is also an area that is poorly understood by many, so it is very easy to end up with wrong information based on inaccurate advice.

Up until recently there was no easy way to find this out in an easy/efficient manner. About a year ago, we came across this solution that seems to have made it easy/efficient to solve this problem. 

We have been using for over a year now, and are happy with it. It seemed a little expensive at first, but given how much time, effort and headache it has saved us, it has been quite worth it I think.

/Simone



__________________

Women's eyes have pierced more hearts than ever did the bullets of war.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me