The world's most trusted forum on Active Directory Security
Hello. I would like to know how to go about analyzing the ACL on the Domain Admins group in the Active Directory.
I am wanting to finding out who all can change the membership of the Domain Admins group in our Active Directory. In order to do so, as far as i understand, I have to determine who can modify the member attribute.
Now the problem is that there are many permissions specified and many of them are of type Special. In addition some grant Full Control, and other grant Write Property but no property is specified.
The easiest ones to do so were the ones we set, which have a Write Property to Member attribute but all the other permissions are making it very difficult to find out who can change the Domain Admins group membership.
It would be very helpful if there was a way to see exactly which security permissions grants what rights on an Active Directory object, as that would make my life so much easier.
Does anyone know of a way to do this?
Thank you very much in advance.
One day I too shall have an Aston Martin Mr. Bond!
Have you considered using the Microsoft dsacls,exe / dsreporter.exe tools?
I believe you should be able to view the ACL using either of these tools.
I’m sorry, but having a DB9 on the drive and not driving it is a bit like having Keira Knightley in your bed and sleeping on the couch.
Thanks. Yes, we did try most of the tools available out there. They all seem to show us who has what permissions in the ACL, but what we're looking for is to see who can actually modify the membership of the Domain Admins group.
Having looked at this a little closer, I think what we need to is to find out who has what effective permissions on the Domains Admins group, and none of the tools that we came across seemed to be able to show us effective permissions on Active Directory objects.
So I suppose we're looking for something that can help us show Effective Permissions, not for something that can help us show just the permissions as they are in the ACL, for that dsacls can already show us.
In light of this clarification, I welcome everyone's thoughts.
Thank you for your help in advance.
Have you checked out checkdsacls? I believe it can export ACLs from Active Directory, so you may be able to use it analyze the ACL on your Domain Admins group.
Just a helpful pointer.
Music is the soul of life! & IT Management Best-Practices
Thanks for your help brother. We have actually found a good tool to view and analyze our Active Directory ACLs and are quite happy with it. The tool can be found here.
We happened to come across almost accidentally, while Googling How to View and Analyze Active Directory ACLs and SACLs, and its worked out very well for us. We've been able to perform detailed inspections of our ACLs, including looking at all the individual security permissions granted in all the ACEs in our Active Directory ACLs.
Thanks everyone for your inputs - I appreciate it.
Peace to all,