Friday, June 11, 2010

How to determine the Resultant Set of Permissions in Active Directory

If you're a Windows IT Admin, you know that delegation of administration and provisioning of access for identity and access management is done in the Active Directory.

Delegating administration and provisioning access in Active Directory both basically involve setting up the right permissions for the right users and groups in the access control lists of Active Directory objects. In other words, Active Directory's security model is involved in delegating administration and provisioning access.

It so turns out that unlike the file system security model, the Active Directory security model is rather complicated because it involves many more permissions, (and I think) too many special permissions, potentially deep and arcane group nestings, inheritance of permissions and a whole range of factors which make it very difficult to really figure out what access someone may have in the Active Directory.

In this blog, I will make an attempt to try and unpeel some of these layers so we can all figure out exactly what all we needs to be takes into account to actually determine the resultant set of permissions in Active Directory.


  1. Hi Bob,

    Active Directory Security is critical to organizational security today and the need to know who has what access in Active Directory has become critical today.

    A good Permissions Analyzer for Active Directory can help identify, lockdown and audit security permissions in Active Directory quickly and efficiently.

    I recently came across a helpful post on How to View Active Directory (AD) Security Permissions and Perform ACL / Permissions Analysis so I thought I'd share it with you.


  2. Hello Bob,

    What are your thoughts about the security implications of outsourcing the management of critical IT services like DNS, DHCP, Active Directory, email (Exhange) etc. to outsourced providers. I think outsourcing of Microsoft's Active Directory technology impacts global security but I would like to hear your thoughts on the same.


  3. Hello Bob,

    Greetings from Dubai. I am an Windows IT admin and have been working with Active Directory for quite some time now. One of the things that interests me is Active Directory Security and I have been recently looking at Active Directory Risks. I've found that using a Permissions Analyzer for Active Directory can be very helpful in finding out who has what permissions in Active Directory. I thought I would share this with you in case it help you too.

    Best wishes,

  4. Hi Bob,

    I happened to come across your blog, so thought I'd leave a note.

    I've been wanting to blog for a while now, and have a little blog of my own as well over as Active Directory Forestry, but I just can't seem to find the time.

    We've been very busy helping clients understand how to analyze and audit security permissions in Active Directory because it is so important to Active Directory security.

    We came across a valuable Active Directory Audit Tool and its been very helpful as we perform many an Active Directory Audit for our clients. Thought I mention it.

    If you have some time, do stop by. I would love to hear from you.


  5. Hi Bob,

    I think of Active Directory Security as being critical to business these days and Active Directory Auditing is very important.

    Personally, I've found that the need to audit what is being audited in Active Directory is equally important as well.

    I recently came across a cool Active Directory ACL Export/Dump Tool and have been using it for these audits.

    I thought you might find my experience with How to audit / find out what is being audited in Active Directory helpful so thought of sharing it with you.