Domain Admins and Enterprise Admins often delegate administrative tasks in Active Directory and from time to time need to know who is delegated what access in Active Directory.
How to Find Out Who is Delegated What Access in Active Directory?
The need to find out and audit delegated access grants in Active Directory has become very important to maintain Active Directory security. Unfortunately, it is not very easy to find out who is delegated what access in Active Directory correctly.
Active Directory ACL |
The reason for this is that while many admins believe and assume that if you find out who has what permissions in Active Directory, it is the same as who is delegated what access in Active Directory.
This of course is not true, because what matters is not who has what permissions in Active Directory, but who has what effective permissions in Active Directory, and it is is very very difficult to try and find out who has effective permissions in Active Directory.
- Note: If you're looking for details to understand why this is the case, there is a helpful write-up at - Pitfalls in Assessing Delegated Access in Active Directory
In summary, the problem is that it is very difficult to accurately determine Effective Permissions in Active Directory because there are many factors such as inheritance of permissions, ACE precedence orders, permissions granted via nested group memberships, inheritance only permissions etc.
In order to find out who is delegated what access in Active Directory, what is needed is the ability to correctly determine effective permissions in Active Directory and then mapping those effective permissions to administrative tasks, and the only way to do that correctly is via automation i.e. via an automated tool that can do this correctly.
The only Active Directory tool that I know of that can accurately determine who is delegated what access in Active Directory is the Gold Finger for Active Directory -
Active Directory Effective Delegated Access Reporter/Analyzer |
Based on what I have heard, Gold Finger is the only tool that has the ability to do this accurately.
The following is a list of administrative tasks that I believe it can report on -
- All domain user accounts, and who can change the security permissions protecting them
- All administrative domain user accounts, and who can reset their passwords
- All active domain user accounts, and who can disable them
- All stale domain user accounts, and who can reset their passwords to login as them
- All unused domain user accounts, and who can reset their passwords to login as them
- All enabled domain user accounts, and who can disable them
- All disabled domain user accounts, and who can enable them
- All locked domain user accounts, and who can unlock them
- All recently created domain user accounts, and who can delete them
- All recently deleted domain user accounts, and who can create domain user accounts, and where*
- All recently changed domain user accounts
- All password-protected domain user accounts, and who can reset their passwords
- All smart-card protected domain user accounts, and who can disable the requirement of smart cards on them
- All domain-user accounts that do not require passwords to logon
- All domain user accounts whose passwords never expire, and who can change this setting
- All domain user accounts whose password must be changed at next logon, and who can change this setting
- All domain-user accounts that do not have an expiration date, and who can set an expiration date on them
- All domain-user accounts that are about to expire, and who can prevent them from expiring
- All domain user accounts that are sensitive and cannot be delegated, and who can change their sensitivity
- All domain user accounts that are not sensitive and can be delegated, and who can change their sensitivity
- All domain user accounts that can logon to any workstation, and who can change this setting
- All domain user accounts that can logon to specific workstations, and who can change the list of workstations
- All domain user accounts that can logon anytime, and who can restrict logon to specific times only
- All domain user accounts for which specific logon hours have been specified, and who can change the hours
- All domain user accounts for which a logon-script is specified, and who can specify a logon-script
- All domain user accounts for which a logon-script is not specified, and who can specify their logon-script
- All domain user accounts that do not have a description specified, and who can specify their description
- All domain computer accounts, and who can change the security permissions protecting them
- All active domain computer accounts, and who can disable them
- All stale domain computer accounts, and who can reset them
- All unused domain computer accounts
- All enabled domain computer accounts, and who can disable them
- All disabled domain computer accounts, and who can enable them
- All recently created domain computer accounts, and who can delete them
- All recently deleted domain computer accounts, and who can create domain computer accounts, and where*
- All recently changed domain computer accounts
- All domain computer accounts that are trusted for delegation
- All domain computer accounts that are trusted for unconstrained delegation
- All domain computer accounts for which a manager is not designated, and who can designate their manager
- All domain computer accounts for which a location is not specified, and who can specify their location
- All domain computer accounts for which a description is not specified, and who can specify their description
- Who can change the expiration date of a computer account, and of which accounts*
- Who can change the DNS name of a computer account, and of which accounts*
- Who can change the Service Principal Names (SPNs) of a computer account, and of which accounts*
- All domain security groups, and who can change the security permissions protecting them
- All domain security groups of a specific scope, and who can change their scope
- All administrative domain security groups, and who can change their memberships
- All empty domain security groups, and who can change their memberships
- All nested domain security groups, and who can un-nest them
- All domain security groups with large memberships, and who can change their memberships
- All domain security groups for which a manager is not designated, and who can designate their manager
- All domain security groups for which a description is not specified, and who can specify their description
- All recently created domain security groups, and who can delete them
- All recently deleted domain security groups, and who can create domain security groups, and where*
- All recently changed domain security groups
- All direct and nested members of a security group, and who can change their memberships
- Who can add/remove oneself to/from the membership of a security group, and to/from which groups*
- Who can change a security group into a distribution group, and which groups*
- All organizational units, and who can change the security permissions protecting them
- All empty organizational units, and who can create accounts, groups, containers and OUs within them
- All recently created organizational units, and who can delete them
- All recently deleted organizational units, and who can create organizational units, and where*
- All recently changed organizational units
- All organizational units to which group policies are explicitly linked, and who can unlink linked policies
- All organizational units to which group policies are not explicitly linked, and who can link policies to them
- All organizational units for which a manager is not designated, and who can designate their manager
- All organizational units for which a description is not specified, and who can specify their description
- Who can generate resultant set of policy (logging-mode) for users/computers in an organizational unit
- Who can generate resultant set of policy (planning-mode) for users/computers in an organizational unit
- All containers, and who can change the security permissions protecting them
- All empty containers, and who can create accounts, groups and containers within them
- All recently created containers, and who can delete them
- All recently deleted containers, and who can create containers, and where*
- All recently changed containers
- All containers for which a description is not specified, and who can specify their description
- All group policy containers, and who can change the security permissions protecting them
- All recently created group policy containers, and who can delete them
- All recently deleted group policy containers, and who can create valid group policy containers
- All recently changed group policy containers
- All service connection points, and who can change the security permissions protecting them
- All recently created service connection points, and who can delete them
- All recently deleted service connection points, and who can create service connection points, and where*
- All recently changed service connection points
- All service connection points for which keywords are specified, and who can change their keywords
- All service connection points for which DNS service names are specified, and who can change these names
- All service connection points for which service bindings are specified, and who can change these bindings
- All objects on which a security principal has any permissions
- All objects on which a security principal has explicit / inherited permissions
- All objects on which a security principal has allow / deny permissions
- All objects on which a security principal has read/modify permissions / modify owner permissions
- All objects on which a security principal has read-property permissions
- All objects on which a security principal has write-property permissions
- All objects on which a security principal has create-child / delete / delete-child / delete tree permissions
- All objects on which a security principal has extended right permissions
- All objects on which a security principal has validated write permissions
- Who can change the maximum password age for domain user accounts
- Who can change the minimum password age for domain user accounts
- Who can change the lockout duration for domain user accounts
- Who can change the lockout threshold for domain user accounts
- Who can change the lockout observation window for domain user accounts
To learn more, you can search for "Gold Finger for Active Directory".
It is very important to be know who is delegated what access in Active Directory because Active Directory is Very Important for Organizational Security.
Hi Bob,
ReplyDeleteI just wanted to say that the we too are using Gold Finger to find out Who is Delegated What Access in Active Directory and its absolutely incredible to see how this tool makes such a difficult thing so easy to accomplish.
I mean I've seen a lot of admins try to use tools like dsacls etc. to try and find out who has what permissions, and I think they don't know that who has what permissions in Active Directory is not the same as who is delegated what access in Active Directory.
Anyway, we've been able to save a lot of time and effort by using this incredible Active Directory Audit Tool, and I really have to thank Microsoft for having such a vibrant ecosystem that its partners can deliver valuable tools than can help us with Active Directory Security and Windows Security.
The sheer amount of time and effort we have saved with this tool has made it so worth it.
Cheers,
Abdul
Hello Bob,
ReplyDeleteIn my experience as an IT analyst, I have found that while many organizations use Active Directory so extensively, most of them don't seem to be aware of the various Active Directory Risks that exist today, and how these risks impact Active Directory Security. This is concerning because Active Directory is so widely deployed today and I worry that it may be vulnerable, whether to Kerberos-to-NTLM downgrade attacks, or other kinds of attacks such as Active Directory Privilege Escalation which it seems could be launched by insiders as well.
Best wishes,
Andrew