Active Directory Effective Permissions

Buy

Privileged Access is the new holy grail for perpetrators for in it lie the Keys to the Kingdom, and it is Active Directory Effective Permissions that determine exactly who has what privileged access in Active Directory deployments worldwide.

Specifically, it is not "Who has what permissions in Active Directory" but in fact "Who has what effective permissions in Active Directory" that determines who actually has what privileged access in any and every Active Directory deployment.

Active Directory
Effective Permissions

Active Directory Effective Permissions are the actual (resulting) set of permissions that a user is actually granted (i.e. allowed) on an Active Directory object, in light of accurately considering the collective impact of all the security permissions specified in the access control list (ACL) of that Active Directory object.

Not a single object in Active Directory can be secured without Active Directory Effective Permissions.

Consequently, not a single Active Directory deployment in the world can be secured without possessing the capability to accurately determine effective permissions in Active Directory, which is why this is paramount to cyber security globally.

Understanding AD Effective Permissions

Active Directory Effective Permissions are best understood with a few illustrative examples –

A Simple Example

Assume that a user John Doe is a member of Domain Admins.

Next, assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -

Explicit Deny Helpdesk Team All Extended Rights
Explicit Allow Domain Admins Full Control

Question: Will John Doe be able to reset the CEO's password?

Popular Answer: Yes. (If you rely on a permissions analysis tool to make this determination, you'll always get Yes for an answer.)

Correct Answer: It depends on whether or not John Doe is also a member of the Helpdesk Team. If he is, the answer is No.

A Slightly Advanced Example

Now, assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -

Inherited Deny Helpdesk Team All Extended Rights
Explicit Allow Domain Admins Full Control

Question: Will John Doe be able to reset the CEO's password?

Answer : Yes (Even if John is a member of Helpdesk Team.)

Reason : An explicit Allow always overrides an Inherited Deny.

An Advanced Example

Assume that a user John Doe is a member of Domain Admins and the Helpdesk Team, and that Helpdesk Team is in turn a member of IT Contractors, which is a member of Global Admins.

Now assume that the following is the complete ACL protecting the CEO's domain user account in Active Directory -

Inherited Deny Helpdesk Team All Extended Rights
Inherited Allow Global Admins Reset Password
Explicit Deny IT Contractors Special
Explicit Allow Domain Admins Full Control

Question: Will John Doe be able to reset the CEO's password?

Correct Answer: To answer this question, we need to take into account the collective impact of all the permissions in the ACL. In other words, we will need to determine effective permissions.

A Real-World Example

Assume that a user John Doe is a member of numerous (e.g. 30+) domain security groups, many of which are members of other security groups, some of which are circularly nested.

Now assume that there are 100 permissions in the ACL -

Inherited Deny Helpdesk Team All Extended Rights
Inherited Allow Global Admins Reset Password

...

Explicit Deny IT Contractors Special
Explicit Allow Domain Admins Full Control

Question: Will John Doe be able to reset the CEO's password?

Correct Answer: To answer this question, we need to take into account the collective impact of 100+ permissions in the ACL, which involves a lot, including fully expanding 100+ security groups, dynamically evaluating well-known security principals, considering object types, intersecting conflicting permissions etc.

Very Difficult

The accurate determination of effective permissions in Active Directory is very difficult and involves many factors, such as -

There are a dozen Active Directory Security permissions.
There are 75+ specific Active Directory extended rights.
There are 150+ unique classes and 1000+ unique attributes in the base Active Directory Schema alone.
Permissions can be inherited or explicit, allowed or denied, applicable or not applicable depending on object-type.
Permissions can be granted to user accounts, computer accounts, security groups, foreign security principals or well-known security principals.
Domain security group memberships can be nested, to numerous levels, and possibly be circularly nested.
Well known security principals like Authenticated Users, Domain Users etc. need to be dynamically evaluated.

All such factors need to be included with 100% accuracy.

Difficult Yet Paramount

Factually, the outcome of every single access request on every object in Active Directory depends on effective permissions.

Without the ability to accurately determine effective permissions on Active Directory objects, organizations cannot adequately secure even a single Active Directory object.

Effective permissions are so fundamental to Active Directory security that of the three tabs in all of Microsoft's native Active Directory management tooling, one is for effective permissions.

Unfortunately, Microsoft's effective permissions tab is not only inaccurate, it is substantially inadequate, and thus hardly usable.

To make matters worse, most IT personnel at most organizations worldwide do not even know what effective permissions are, let alone their paramount importance, and to this day, resort to performing simple inaccurate permissions analysis.

Active Directory effective permissions are paramount to Active Directory Security, and thus to organizational cyber security.

The Key to all Privileged Access
in Active Directory

The only way to correctly assess who has what privileged access in Active Directory, such as
who can do the following, is by determining Active Directory Effective Permissions -

Who can create, delete or manage any/all accounts, groups or OUs in Active Directory?
Who can control or modify permissions in Active Directory? e.g. on AdminSDHolder
Who can reset the password of any domain account? e.g. that of Administrator
Who can change the membership of any group? e.g. that of Domain Admins
Who can replicate password hashes out of Active Directory? i.e. DCSync

Thus, the key to identifying all privileged access in Active Directory thus lies
in being able to accurately determine Active Directory Effective Permissions.

The Only Correct Way

There is only one correct way to accurately determine (assess/identify) exactly who has what access in Active Directory, both privileged and non-privileged, and that is by accurately determining effective permissions in Active Directory.

Absolutely Essential

Active Directory Effective Permissions are so essential for securing the contents of Active Directory that in every single Microsoft Active Directory native tool*, of the three tabs for Security, one is for Active Directory Effective Permissions.

*Unfortunately, Microsoft tooling's Active Directory Effective Permissions determination capabilities are demonstrably inaccurate and inadequate, leaving IT personnel no choice but to try and manually determine effective permissions, which is very difficult, laborious and time-consuming.

How to caclulate effective permissions in Active Directory?

How to Determine Effective Permissions

The accurate determination of effective permissions in Active Directory is very difficult, laborious and time-consuming.

IT personnel can choose to either manually determine effective permissions on Active Directory objects, which only requires proficient expertise, or use specialized automated tooling to save time and eliminate the possibility of error.

To manually determine effective permissions in Active Directory, IT personnel need only acquire sufficient proficiency in Active Directory security and then apply their expertise towards making these determinations, taking into account all factors that influence access in Active Directory, such as its security model, access control lists (ACLs), inheritance of permissions, precedence orders, conflicting permissions (Allow vs Deny), group membership types, rules, expansions and nesting, Schema constraints, dynamic evaluation of well-known security principals, knowledge of Active Directory security permissions (generic permissions, extended rights and validated writes) etc. Since accuracy of results is of paramount importance, to eliminate any possibility of error, care must be taken to ensure that no mistakes are made.

Alternatively, IT personnel can use any specialized tooling that accurately automates the entire process of determining effective permissions in Active Directory, commonly known as an "Active Directory Effective Permissions Calculator".

Gold Finger

Our unique Microsoft-endorsed Gold Finger is the only tool in the world
that can accurately determine effective permissions in Active Directory.

It is also the world's only accurate Active Directory Effective Permissions Calculator

Learn More

The following Active Directory privileged access assessment tools in Gold Finger
incorporate accurate, automated Active Directory Effective Permissions analysis –

Active Directory Effective Permissions Calculator

If you currently use any of the 20+ popular Active Directory access assessment solutions listed here, you may now be able to get a Gold Finger license for free, or request it as a free service.

Our Global Customers