Active Directory Effective Permissions Calculator

Buy

"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."

Charles Coates, Senior Product Manager
Identity and Security Business Group

Active Directory Effective Permissions Calculator

Overview

Organizations have a mission-critical cyber security need to be able to accurately audit effective permissions in Active Directory to audit, secure and defend Active Directory, to control and lockdown privileged access in Active Directory, to implement Privileged Access Management (PAM), to attain and maintain Least Privileged Access (LPA) and Zero Trust, to securely manage identities and access in AD, and to fulfill Governance Risk and Compliance (GRC) requirements.

Active Directory Effective Permissions Calculator is a unique tool designed by former Microsoft Program Manager for Active Directory Security to help IT groups and personnel easily, instantly and trustworthily fulfill this need.

It automates the accurate determination of effective permissions (aka effective access) on Active Directory objects, to help identify exactly who actually has what access on an Active Directory object, and how, all at the touch of a button.

Only Gold Finger Can Accurately Calculate
Effective Permissions in Active Directory

Active Directory's rich security model lets organizations precisely provision access to fulfill various business needs, but unfortunately its complexity also makes it very difficult to accurately assess who has what access in Active Directory.

Specifically, given the technical complexity of Active Directory's rich security model, there exist numerous complicated security permissions (e.g. explicit, inherited, allow, deny, object-specfic, special rights etc.) within Active Directory ACLs, and they make it very difficult to accurately assess who currently actually has what access on Active Directory objects.

From a technical standpoint, there is one and only one correct way to determine who actually has what access on an Active Directory object and that is by determining Who has what effective permissions on an Active Directory object?

Unfortunately, many organizations do not know this fact, and determine "Who has what permissions in Active Directory," which is incorrect and delivers vastly inaccurate results, reliance upon which only leaves them substantially vulnerable.

Only Gold Finger's unique Microsoft-endorsed effective permissions calculation capabilities can accurately determine effective permissions in Active Directory, and thus only it can accurately assess who has what access in Active Directory.

Unrivaled in Capability

The need to know who has what access in Active Directory is absolutely paramount to organizational cyber security.

Our unique, unrivaled Microsoft-endorsed Gold Finger is the world's only tool that can instantly, accurately and automatically find out exactly who has what effective permissions on Active Directory objects, including how.

It can also instantly determine and reveal exactly what effective permissions a specific user has in Active Directory.

It accomplishes in mere minutes, what otherwise takes days,
and it does all this, and more, at the touch of a button.

Active Directory Privileged Access Assessor

Standard Mode

The Standard Mode (default) of Active Directory Effective Permissions Calculator enables organizations to instantly, accurately and automatically determine exactly who has what effective permissions on an Active Directory object, which one(s), and how.

For example -

Who has what effective permissions on the CEO's domain user account in Active Directory?
Who has what effective permissions on the Domain Admins security group in Active Directory?
Who has effective Modify Permissions on the AdminSDHolder object in Active Directory?
Who has effective Create Child permissions on the Corporate organizational unit (OU)?
Who has effective Standard Delete permissions on a specific service connection point?

Single-User Mode

The Single-User Mode of Active Directory Effective Permissions Calculator empowers organizations to instantly, accurately and automatically assess whether a specific user has any effective permissions on an Active Directory object, and if so which one(s), and how.

For example -

Does a specific user, John Doe, have effective Reset Password extended right on the CEO's domain user account?
Does a specfic user, Jane Doe, have effective Write Property Member on the Domain Admins security group?
Does a specific contractor have effective Modify Permissions on the AdminSDHolder object?
Does a specific user, Mark Smith, have effective Create Child User permissions on the Corporate OU?
Does a specific user, Stuart Chan, have effective Delete, or Delete Child permissions on the Global OU?

Features

Accurate Effective Permissions Analysis

Accurately calculate effective permissions on Active Directory objects

Complete Effective Permissions Analysis

Determine complete set of effective permissions allowed on an AD object

Real-time Fully-Automated Analysis

Instantly determine effective permissions on any AD object in real-time

Source Identification

Identify the exact permission that entitles a user to an effective permission

Export to CSV

Export effective permissions data for analysis, comparison and archival

Technical Summary

Active Directory Effective Permissions Calculator accomplishes the rare technical feat of automating the accurate determination of effective permissions on individual Active Directory objects, to help identify exactly who actually has what access on any and every object in any Active Directory partition, as well as identifying how they have this access.

Benefits

Accurately Audit AD Effective Permissions

Accurately calculate effective permissions on AD objects

Audit Privileged Access in Active Directory

Audit Privileged Access on AD objects

Find out who actually has what privileged access on AD objects

Secure Your Foundational Active Directory

Assess and lockdown access on your entire AD attack surface

Complete Steps 1, 2 and 3 of your PAM Journey

Accurately discover privileged users in AD, secure them and control access

Demonstrate Regulatory Compliance

Correctly demonstrate compliance concerning privileged access in AD

Example Reports

The following real-world examples illustrate the Active Directory Effective Permissions Calculator's unique capabilities -

Find out exactly who has what effective permissions on the Domain Admins privileged group in Active Directory.
Determine exactly who has Write Property - Member effective permissions on the Domain Admins group.
Find out exactly who has Change Schema Master extended right effective permissions on the Schema partition root.
Find out exactly who has Get Replication Changes All extended right effective permissions on the domain root object.
Identify exactly who has Delete or Delete Tree effective permissions on a top-level OU containing thousands of objects.
Determine exactly who has Create Child - User effective permissions on a top-level organizational unit in Active Directory.
Find out exactly who has Modify Permissions effective permissions on the domain root object or on the AdminSDHolder object.
Find out exactly who has Write Property - userAccountControl effective permissions on a critical server's domain computer object.
Determine exactly who has Apply Group Policy extended right effective permissions on the Domain Controllers organizational unit.
Determine exactly who has Reset Password extended right effective permissions on the default Administrator domain user account.

Requirements and Licensing

Active Directory Effective Permissions Calculator can be instantly downloaded, installed and run on any Windows computer. Its use does not require any admin privileges, any changes to or any knowledge of Active Directory.

The tool is licensed on a subscription model, and can be licensed on an annual basis.

"We use the Gold Finger from Paramount Defenses to fulfill our Active Directory Audit needs. It saves us a lot of time and effort and we would recommend it to anyone who needs to perform Active Directory audits trustworthily and cost-effectively. Great product, great support."

Sean Seeliger, Architect