Friday, June 11, 2010

How to determine the Resultant Set of Permissions in Active Directory

If you're a Windows IT Admin, you know that delegation of administration and provisioning of access for identity and access management is done in the Active Directory.

Delegating administration and provisioning access in Active Directory both basically involve setting up the right permissions for the right users and groups in the access control lists of Active Directory objects. In other words, Active Directory's security model is involved in delegating administration and provisioning access.

It so turns out that unlike the file system security model, the Active Directory security model is rather complicated because it involves many more permissions, (and I think) too many special permissions, potentially deep and arcane group nestings, inheritance of permissions and a whole range of factors which make it very difficult to really figure out what access someone may have in the Active Directory.

In this blog, I will make an attempt to try and unpeel some of these layers so we can all figure out exactly what all we needs to be takes into account to actually determine the resultant set of permissions in Active Directory.