Try now

Active Directory Effective Permissions

– The Keys to Privileged Access Worldwide


It is Active Directory Effective Permissions that govern exactly who has what privileged access in every Active Directory deployment worldwide.

Privileged Access is the new holy grail for perpetrators for in it lie the Keys to the Kingdom, and it is Active Directory Effective Permissions that determine exactly who has what privileged access in Active Directory deployments worldwide.

Specifically, it is not "Who has what permissions in Active Directory" but in fact "Who has what effective permissions in Active Directory" that determines who actually has what privileged access in any and every Active Directory deployment.

What are Active Directory Effective Permissions?

Active Directory
Effective Permissions

Active Directory Effective Permissions are the actual (resulting) set of permissions that a user is actually granted (i.e. allowed) on an Active Directory object, in light of accurately considering the collective impact of all the security permissions specified in the access control list (ACL) of that Active Directory object.


Not a single object in Active Directory can be secured without Active Directory Effective Permissions.


Consequently, not a single Active Directory deployment in the world can be secured without possessing the capability to accurately determine effective permissions in Active Directory, which is why this is paramount to cyber security globally.

Understanding AD Effective Permissions
AD Effective Permissions

Active Directory Effective Permissions are best understood with a few illustrative examples –

A Simple Example of Active Directory Effective Permissions

A Simple Example

Assume that a user John Doe is a member of Domain Admins.


Next, assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -

  • Explicit   Deny Helpdesk Team All Extended Rights

  • Explicit   Allow Domain Admins Full Control


Question: Will John Doe be able to reset the CEO's password?


Popular Answer: Yes. (If you rely on a permissions analysis tool to make this determination, you'll always get Yes for an answer.)

Correct Answer: It depends on whether or not John Doe is also a member of the Helpdesk Team. If he is, the answer is No.

A Slightly Advanced Example of Active Directory Effective Permissions

A Slightly Advanced Example

Now, assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -

  • Inherited Deny Helpdesk Team All Extended Rights

  • Explicit   Allow Domain Admins Full Control


Question: Will John Doe be able to reset the CEO's password?

Answer  : Yes(Even if John is a member of Helpdesk Team.)

Reason  : An explicit Allow always overrides an Inherited Deny.

An Advanced Example of Active Directory Effective Permissions

An Advanced Example

Assume that a user John Doe is a member of Domain Admins and the Helpdesk Team, and that Helpdesk Team is in turn a member of IT Contractors, which is a member of Global Admins.


Now assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -

  • Inherited Deny Helpdesk Team All Extended Rights

  • Inherited Allow Global Admins Reset Password

  • Explicit   Deny IT Contractors  Special

  • Explicit   Allow Domain Admins Full Control


Question: Will John Doe be able to reset the CEO's password?

Correct Answer: To answer this question, we need to take into account the collective impact of all the permissions in the ACL. In other words, we will need to determine effective permissions.

A Real-world Example of Active Directory Effective Permissions

A Real-World Example

Assume that a user John Doe is a member of numerous (e.g. 30+) domain security groups, many of which are members of other security groups, some of which are circularly nested.

Now assume that there are 100 permissions in the ACL -

  1. Inherited Deny Helpdesk Team All Extended Rights

  2. Inherited Allow Global Admins Reset Password

   ...

  1. Explicit   Deny IT Contractors  Special

  2. Explicit   Allow Domain Admins Full Control


Question: Will John Doe be able to reset the CEO's password?

Correct Answer: To answer this question, we need to take into account the collective impact of 100+ permissions in the ACL, which involves a lot, including fully expanding 100+ security groups, dynamically evaluating well-known security principals, considering object types, intersecting conflicting permissions etc.

Active Directory Effective Permissions Calculation is Very Difficult

Very Difficult

The accurate determination of effective permissions in Active Directory is very difficult and involves many factors, such as -

  1. There are a dozen Active Directory Security permissions.

  2. There are 75+ specific Active Directory extended rights.

  3. There are 150+ unique classes and 1000+ unique attributes in the base Active Directory Schema alone.

  4. Permissions can be inherited or explicit, allowed or denied, applicable or not applicable depending on object-type.

  5. Permissions can be granted to user accounts, computer accounts, security groups, foreign security principals or well-known security principals.

  6. Domain security group memberships can be nested, to numerous levels, and possibly be circularly nested.

  7. Well known security principals like Authenticated Users, Domain Users etc. need to be dynamically evaluated.

All such factors need to be included with 100% accuracy.

Difficult yet Paramount

Difficult Yet Paramount

Factually, the outcome of every single access request on every object in Active Directory depends on effective permissions.

Without the ability to accurately determine effective permissions on Active Directory objects, organizations cannot adequately secure even a single Active Directory object.

Effective permissions are so fundamental to Active Directory security that of the three tabs in all of Microsoft's native Active Directory management tooling, one is for effective permissions.

Unfortunately, Microsoft's effective permissions tab is not only inaccurate, it is substantially inadequate, and thus hardly usable.

To make matters worse, most IT personnel at most organizations worldwide do not even know what effective permissions are, let alone their paramount importance, and to this day, resort to performing simple inaccurate permissions analysis.

Active Directory effective permissions are paramount to Active Directory Security, and thus to organizational cyber security.

The Key to All Privileged Access in Active Directory

The Key to all Privileged Access in Active Directory

The only way to correctly find out / audit exactly who has what privileged access in Active Directory, such as who can do the following, is to determine Active Directory effective permissions -

  1. Who can modify permissions on AdminSDHolder?

  2. Who can change the Domain Admins' group membership?

  3. Who can reset the password of every Domain Admin?

  4. Who can create accounts and groups in Active Directory?

  5. Who can delete entire OUs full of thousands of objects?

  6. Who can replicate passwords out of Active Directory?

  7. Who can manage all accounts, control all groups etc.?


The key to identifying all privileged access in Active Directory thus lies in being able to determine effective permissions.

Active Directory Effective Permissions Calculator

Gold Finger

Gold Finger is the only tool in the world that can accurately determine effective permissions in Active Directory.


Our Global Customers

  • Australian Government
  • United States Treasury
  • British Government
  • Government of Canada
  • British Petroleum
  • Ernst and Young
  • Saudi Arabian Monetary Agency
  • Juniper Networks
  • U.S. Department of Defense
  • Microsoft Corporation
  • United Nations
  • Quantium
  • Nestle
  • IBM Corporation
  • U.S. Federal Aviation Administration
  • Columbia University

Your Privacy

We use cookies to provide you the best online experience. Please let us know if you accept these cookies.