Active Directory Effective Permissions
– The Keys to Privileged Access Worldwide
It is Active Directory Effective Permissions that govern exactly who has what privileged access in every Active Directory deployment worldwide.
Privileged Access is the new holy grail for perpetrators for in it lie the Keys to the Kingdom, and it is Active Directory Effective Permissions that determine exactly who has what privileged access in Active Directory deployments worldwide.
Specifically, it is not "Who has what permissions in Active Directory" but in fact that determines who actually has what privileged access in any and every Active Directory deployment.
Active Directory
Effective Permissions
Active Directory Effective Permissions are the actual (resulting) set of permissions that a user is actually granted (i.e. allowed) on an Active Directory object, in light of accurately considering the collective impact of all the security permissions specified in the access control list (ACL) of that Active Directory object.
Not a single object in Active Directory can be secured without Active Directory Effective Permissions.
Consequently, not a single Active Directory deployment in the world can be secured without possessing the capability to accurately determine effective permissions in Active Directory, which is why this is paramount to cyber security globally.
Understanding AD Effective Permissions
Active Directory Effective Permissions are best understood with a few illustrative examples –
A Simple Example
Assume that a user John Doe is a member of Domain Admins.
Next, assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -
Explicit Deny Helpdesk Team All Extended Rights
Explicit Allow Domain Admins Full Control
Question: Will John Doe be able to reset the CEO's password?
Popular Answer: Yes. (If you rely on a permissions analysis tool to make this determination, you'll always get Yes for an answer.)
Correct Answer: It depends on whether or not John Doe is also a member of the Helpdesk Team. If he is, the answer is No.
A Slightly Advanced Example
Now, assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -
Inherited Deny Helpdesk Team All Extended Rights
Explicit Allow Domain Admins Full Control
Question: Will John Doe be able to reset the CEO's password?
Answer : Yes (Even if John is a member of Helpdesk Team.)
Reason :
An Advanced Example
Assume that a user John Doe is a member of Domain Admins and the Helpdesk Team, and that Helpdesk Team is in turn a member of IT Contractors, which is a member of Global Admins.
Now assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -
Inherited Deny Helpdesk Team All Extended Rights
Inherited Allow Global Admins Reset Password
Explicit Deny IT Contractors Special
Explicit Allow Domain Admins Full Control
Question: Will John Doe be able to reset the CEO's password?
Correct Answer: To answer this question, we need to take into account the of all the permissions in the ACL. In other words, we will need to determine effective permissions.
A Real-World Example
Assume that a user John Doe is a member of numerous (e.g. 30+) domain security groups, many of which are members of other security groups, some of which are circularly nested.
Now assume that there are 100 permissions in the ACL -
Inherited Deny Helpdesk Team All Extended Rights
Inherited Allow Global Admins Reset Password
...
Explicit Deny IT Contractors Special
Explicit Allow Domain Admins Full Control
Question: Will John Doe be able to reset the CEO's password?
Correct Answer: To answer this question, we need to take into account the of 100+ permissions in the ACL, which involves a lot, including fully expanding 100+ security groups, dynamically evaluating well-known security principals, considering object types, intersecting conflicting permissions etc.
Very Difficult
The accurate determination of effective permissions in Active Directory is very difficult and involves many factors, such as -
There are a dozen Active Directory Security permissions.
There are 75+ specific Active Directory extended rights.
There are 150+ unique classes and 1000+ unique attributes in the base Active Directory Schema alone.
Permissions can be inherited or explicit, allowed or denied, applicable or not applicable depending on object-type.
Permissions can be granted to user accounts, computer accounts, security groups, foreign security principals or well-known security principals.
Domain security group memberships can be nested, to numerous levels, and possibly be circularly nested.
Well known security principals like Authenticated Users, Domain Users etc. need to be dynamically evaluated.
All such factors need to be included with 100% accuracy.
Difficult Yet Paramount
Factually, the outcome of every single access request on every object in Active Directory depends on effective permissions.
Without the ability to accurately determine effective permissions on Active Directory objects, organizations cannot adequately secure even a single Active Directory object.
Effective permissions are so fundamental to Active Directory security that of the three tabs in all of Microsoft's native Active Directory management tooling, one is for effective permissions.
Unfortunately, Microsoft's effective permissions tab is not only inaccurate, it is substantially inadequate, and thus hardly usable.
To make matters worse, most IT personnel at most organizations worldwide do not even know what effective permissions are, let alone their paramount importance, and to this day, resort to performing simple inaccurate permissions analysis.
Active Directory effective permissions are paramount to Active Directory Security, and thus to organizational cyber security.
The Key to all Privileged Access in Active Directory
The only way to correctly assess (i.e. identify/audit) exactly who has what privileged access in Active Directory, such as who can do the following, is by determining Active Directory effective permissions -
Who can modify permissions on AdminSDHolder?
Who can change the Domain Admins' group membership?
Who can reset the password of every Domain Admin?
Who can create accounts and groups in Active Directory?
Who can delete entire OUs full of thousands of objects?
Who can replicate passwords out of Active Directory?
Who can manage all accounts, control all groups etc.?
The key to identifying all privileged access in Active Directory thus lies in being able to determine effective permissions.
The Only Correct Way
There is only one correct way to accurately determine (assess/identify) exactly who has what access in Active Directory, both privileged and non-privileged, and that is by accurately determining effective permissions in Active Directory.
Gold Finger
Gold Finger is the only tool in the world that can accurately determine effective permissions in Active Directory.
Not only can it instantly, automatically and accurately determine effective permissions on any Active Directory object in the world, it can also instantly do so* on thousands of Active Directory objects, domain-wide, at the touch of a button.
Active Directory Effective Permissions
based Privileged Access Assessment Tools
The following Active Directory privileged access assessment tools incorporate accurate Active Directory Effective Permissions analysis –
Our Global Customers
Your Privacy
We use cookies to provide you the best online experience. Please let us know if you accept these cookies.
