Paramount Defenses Company | Leadership | Products | Solutions | Partners | Privileged Access Insight | Support | News | Careers | Blog | Contact 100%
Our Global Customers - Cyber Security Thought Leaders
Gold Finger  
for Active Directory  
Gold Finger
| Security
Audit Tool
| Membership
Reporting Tool
| Token-Size
| ACL Viewer
& Exporter
| Permissions
| Effective Permissions 
& Access Calculator
| Administrative Access 
& Delegation Audit Tool
| Gold Finger
| Golden

Gold Finger Accuracy Illustration

An Illustration that depicts why assessing effective permissions (RSOP) in Active Directory is so difficult.

Consider the following Active Directory access control list (ACL) protecting the CEO's user account –

Can you accurately determine who has what effective permissions on the CEO's account or who is delegated what administrative tasks on the CEO's account?

     (It's not easy, is it?)

Here's why

In order to accurately determine effective permissions and effective delegated access in Active Directory, you have to take numerous factors into account when analyzing an AD access control list (ACL), such as, but not limited to –

1. Numerous Users and Groups

There are permissions specified for numerous users, security groups and well-known security principals

2. Transitive Memberships

Security groups may be deeply nested, in effect specifying access for numerous individuals

3. Over 70 Kinds of Permissions and Rights

There are over 70 different kinds of permissions and rights that could be specified for security principals

4. Conflicting Permissions

A user or a security group may be granted permissions in one ACE but denied the very same permissions in another ACE

5. Precedence Orders

Explicit permissions will override inherited permissions

6. Ineffective Permissions

Permissions specified in an ACE may or may not control access depending on the nature of the ACE

7. Nested Group Conflicts

A user or group could belong to multiple nested security groups, some of which may be allowed, and some denied, the same set of permissions

8. So on and so forth

Similarly, there are other factors involved in accurately determining resultant access in Active Directory.

In order to accurately assess effective access in Active Directory, you have to take all factors involved in a real Active Directory security (authorization) check into account, exactly as involved in a real access check.

Gold Finger is the only solution in the world that simulates real Active Directory access checks to accurately assess and report who actually has what effective access on an Active Directory object.

Back Back

Who We Are What We Do How We Protect You