The world's most trusted forum on Active Directory Security
We are in search of a reliable Active Directory Effective Permissions Tool to fulfill an internal security audit need that has come up in light of a new Cyber Security Preparedness initiative, which is currently underway in our organization.
(We have a new CISO who was recently hired to improve our Cyber Security posture, and he has identified Active Directory as a key area to focus on, given that it is a core part of our identity and access management infrastructure.)
We have been asked to figure out and report on the list of all IT personnel (serving and on sabbatical) who have administrative powers on certain key Active Directory objects, including all admin groups, the System container, the domain root object, the default Domain Controllers OU and all our administrative accounts.
Upon doing some research, it appears that in order to figure this out, we basically just need to determine effective permissions on these objects. That seemed to make logical sense, and I suppose that's whay the inbuilt Effective Permissions Tab in ADUC is for. However, we have found it to be hopelessly useless to use, in that it needs us to put in each user's identity to determine what access he/she has. We have over 2000 accounts in our AD, so I'm not sure how we can do this even we were super strong willed. Also, it just seems to check a couple of check-boxes adjacent to certain permissions, so I'm not sure how to determine effective access based on that.
So, we are looking for alternatives to the inbuilt Effective Permissions Tab so we can fulfill this need in the allocated time (we have 2 weeks to deliver our report) and thusfar have not been in to much luck. I suppose we could buy an additional week or two, but I hope this is easily solvable.
We don't have too much experience in trying to do this, as thusfar we've just dabbled with the ADUC permisions editor as the need was mostly just to do delegations and provision access.
If anyone knows of a reliable easy-to-use tool to do this, I would sincerely appreciate your help.
We Support Our Troops.
You are correct that in order to determine and report on who has what administrative powers on an Active Directory object, one needs to determine true effective permissions on these objects. You are also correct that the Effective Permissions Tab in Active Directory is not of much use in this regard.
I don't know if you've tried to determine effective permissions on Active Directory objects manually, but if you (or your team members) have, then I think you'll agree that this is actually a difficult and time-consuming process, that requires detailed expertise and attention to detail.
This is primarily because in order to determine effective permissions in Active Directory, one needs to take into account all the access rights specified in the target object's ACL (access control list), and based on numerous factors, such as inheritance of permissions, conflict resolution, permissions applicability etc., ultimately determine who has what effective access on the object.
As you can imagine, this is neither easy nor straight-forward. On average, in my experience, it takes anywhere from 15 to 30 minutes per object to try and correctly determine effective permissions on an Active Directory object. So, even if you have just 100 important objects (all admin accounts, partition roots, System container, important OUs etc.), you're looking at around 50 hours of painstaking work each time you need to determine effective permissions on them.
Given the complexity involved and the time requirement, it is thus usually best to use a dedicated tool for thus purpose, as it can save a lot of valuable time and prevent a headache.
I don't know if you're still looking, but if you are, let me know if you'd like me to provide some recommendations on an Effective Permissions tool, and I'd be happy to do so.