Active Directory Effective Permissions
Active Directory Effective Permissions govern the access that a user of the system actually (i.e. effectively) has on an Active Directory object, in light of the entirety of permissions specified in the object's ACL.
Active Directory Effective Permissions are very important for Active Directory security. In fact they are so important that one of the four tabs in the Advanced Security Settings / ACL Editor user-interface is that of Effective Permissions. That is because, they are at least as important, if not more, than Auditing.
Simply put, Active Directory Effective Permissions are the resultant set of permissions (RSOP) that a user is entitled to on a given Active Directory object, in light of all the security permissions that serve to protect the object, including permissions that may or may not directly specify access for the user.
They determine and control the actual (effective) access that a user actually has to an Active Directory object.
Understanding True Active Directory Effective Permissions
The determination of true (accurate ) effective permissions in Active Directory is one of the most difficult challenges in Windows Security, because Active Directory's security model is sophisticated, and as a result, there are numerous factors that influence the accurate determination of effective permissions.
This is perhaps best illustrated with an example –
Consider the ACL above. How does one accurately determine who has what effective permissions on this object? There are numerous factors which influence effective permissions, such as –
There are numerous permissions specified for numerous users, security groups and well-known security principals.
Security groups may be nested to multiple levels, thus effectively specifying access for large numbers of individuals.
There are over seventy different kinds of permissions and rights that could be granted or denied to security principals.
Permissions granted to someone in one ACE may be denied to the same user or security group in another ACE.
Permissions granted in an inherited ACE may be overridden by permissions specified in an explicit ACE.
Permissions specified in an ACE may or may not control access depending on the characteristics of the ACE.
A user could belong to multiple nested security groups, some of which may be allowed, and some denied, permissions.
So on and so forth ...
Thus, in order to correctly (i.e. accurately) determine effective permissions on this object, one would need to simulate a real Active Directory authorization check, and doing so requires deep technical expertise and a lot of time. This is why accurately determine true effective permissions in Active Directory is very difficult.
The accurate determination of effective permissions in Active Directory is one of the most difficult challenges in Windows Security. This is primarily because Active Directory's security model is sophisticated, and as a result, there are numerous factors that influence the accurate determination of effective permissions.
Challenges in Determining Active Directory Effective Permissions Using Microsoft's Tools
As indicated above, Active Directory Effective Permissions are very important for Active Directory security because they determine who really has what access in Active Directory.
In fact they are so important that Microsoft offers three tools i.e. the Effective Permissions Tab, dsacls and acldiag, to help IT personnel determine and display effective permissions on Active Directory objects. Each of these tools has the ability to determine effective permissions in Active Directory.
Unfortunately, none of these tools can accurately determine effective permissions in Active Directory.
For example, in the snapshot of dsacls above, you will see that it is displaying Effective Permissions but if you look at it closely, it is only displaying supposed effective permissions for various security groups, without expanding these groups.
In particular, it is merely displaying the list of all effective ACEs that apply for a given security group. However, it is neither expanding these group memberships, nor checking to see if a member of a group which has a specific access granted (by virtue of membership in this group), might also be a member of another group for which conflicting access may be specified in the object's ACL, as a result of which the user may not actually have the access that is being reported for the group to which the user belongs.
This unfortunately, is also the case with the Effective Permissions Tab as well as with acldiag.
In fact, this is also the case with numerous other 3rd party tools that claim to determine and display Active Directory effective permissions, but in fact, merely make incomplete and thus inaccurate determinations.
Correctly Determining Active Directory Effective Permissions
In order to correctly determine effective permissions in Active Directory, one needs to take into account all the factors involved in determining effective access in Active Directory. The accurate and complete inclusion of each of these factors each time one needs to determine effective permissions requires precision, deep technical expertise and substantial time, and is a process that is best suited to automation.
At Paramount Defenses, we have automated this exact process, and developed the world's first and only accurate Active Directory Effective Permissions tool. This tool can accurately and instantly determine effective permissions on any object in any Active Directory partition. IT personnel can now easily and accurately determine effective permissions on any object in Active Directory.
As indicated above, effective permissions are very important for Active Directory security, and it is Active Directory Effective Permissions, and not Active Directory Security Permissions, that actually determine the actual access that a user has on an Active Directory object.