How to Find Out Who is Delegated What Access in Active Directory?

Domain Admins and Enterprise Admins often delegate administrative tasks in Active Directory and from time to time need to know who is delegated what access in Active Directory.

How to Find Out Who is Delegated What Access in Active Directory?

The need to find out and audit delegated access grants in Active Directory has become very important to maintain Active Directory security. Unfortunately, it is not very easy to find out who is delegated what access in Active Directory correctly.



Active Directory ACL

The reason for this is that while many admins believe and assume that if you find out who has what permissions in Active Directory, it is the same as who is delegated what access in Active Directory.

This of course is not true, because what matters is not who has what permissions in Active Directory, but who has what effective permissions in Active Directory, and it is is very very difficult to try and find out who has effective permissions in Active Directory.

• Note: If you're looking for details to understand why this is the case, there is a helpful write-up at - Pitfalls in Assessing Delegated Access in Active Directory

In summary, the problem is that it is very difficult to accurately determine Effective Permissions in Active Directory because there are many factors such as inheritance of permissions, ACE precedence orders, permissions granted via nested group memberships, inheritance only permissions etc.

In order to find out who is delegated what access in Active Directory, what is needed is the ability to correctly determine effective permissions in Active Directory and then mapping those effective permissions to administrative tasks, and the only way to do that correctly is via automation i.e. via an automated tool that can do this correctly.

The only Active Directory tool that I know of that can accurately determine who is delegated what access in Active Directory is the Gold Finger for Active Directory -

Active Directory Effective Delegated Access Reporter/Analyzer

(Acknowledgment: Image from www.active-directory-audit-tool.com)

Based on what I have heard, Gold Finger is the only tool that has the ability to do this accurately.

The following is a list of administrative tasks that I believe it can report on -

1. All domain user accounts, and who can change the security permissions protecting them
2. All administrative domain user accounts, and who can reset their passwords
3. All active domain user accounts, and who can disable them
4. All stale domain user accounts, and who can reset their passwords to login as them
5. All unused domain user accounts, and who can reset their passwords to login as them
6. All enabled domain user accounts, and who can disable them
7. All disabled domain user accounts, and who can enable them
8. All locked domain user accounts, and who can unlock them
9. All recently created domain user accounts, and who can delete them
10. All recently deleted domain user accounts, and who can create domain user accounts, and where*
11. All recently changed domain user accounts
12. All password-protected domain user accounts, and who can reset their passwords
13. All smart-card protected domain user accounts, and who can disable the requirement of smart cards on them
14. All domain-user accounts that do not require passwords to logon
15. All domain user accounts whose passwords never expire, and who can change this setting
16. All domain user accounts whose password must be changed at next logon, and who can change this setting
17. All domain-user accounts that do not have an expiration date, and who can set an expiration date on them
18. All domain-user accounts that are about to expire, and who can prevent them from expiring
19. All domain user accounts that are sensitive and cannot be delegated, and who can change their sensitivity
20. All domain user accounts that are not sensitive and can be delegated, and who can change their sensitivity
21. All domain user accounts that can logon to any workstation, and who can change this setting
22. All domain user accounts that can logon to specific workstations, and who can change the list of workstations
23. All domain user accounts that can logon anytime, and who can restrict logon to specific times only
24. All domain user accounts for which specific logon hours have been specified, and who can change the hours
25. All domain user accounts for which a logon-script is specified, and who can specify a logon-script
26. All domain user accounts for which a logon-script is not specified, and who can specify their logon-script
27. All domain user accounts that do not have a description specified, and who can specify their description
28. All domain computer accounts, and who can change the security permissions protecting them
29. All active domain computer accounts, and who can disable them
30. All stale domain computer accounts, and who can reset them
31. All unused domain computer accounts
32. All enabled domain computer accounts, and who can disable them
33. All disabled domain computer accounts, and who can enable them
34. All recently created domain computer accounts, and who can delete them
35. All recently deleted domain computer accounts, and who can create domain computer accounts, and where*
36. All recently changed domain computer accounts
37. All domain computer accounts that are trusted for delegation
38. All domain computer accounts that are trusted for unconstrained delegation
39. All domain computer accounts for which a manager is not designated, and who can designate their manager
40. All domain computer accounts for which a location is not specified, and who can specify their location
41. All domain computer accounts for which a description is not specified, and who can specify their description
42. Who can change the expiration date of a computer account, and of which accounts*
43. Who can change the DNS name of a computer account, and of which accounts*
44. Who can change the Service Principal Names (SPNs) of a computer account, and of which accounts*
45. All domain security groups, and who can change the security permissions protecting them
46. All domain security groups of a specific scope, and who can change their scope
47. All administrative domain security groups, and who can change their memberships
48. All empty domain security groups, and who can change their memberships
49. All nested domain security groups, and who can un-nest them
50. All domain security groups with large memberships, and who can change their memberships
51. All domain security groups for which a manager is not designated, and who can designate their manager
52. All domain security groups for which a description is not specified, and who can specify their description
53. All recently created domain security groups, and who can delete them
54. All recently deleted domain security groups, and who can create domain security groups, and where*
55. All recently changed domain security groups
56. All direct and nested members of a security group, and who can change their memberships
57. Who can add/remove oneself to/from the membership of a security group, and to/from which groups*
58. Who can change a security group into a distribution group, and which groups*
59. All organizational units, and who can change the security permissions protecting them
60. All empty organizational units, and who can create accounts, groups, containers and OUs within them
61. All recently created organizational units, and who can delete them
62. All recently deleted organizational units, and who can create organizational units, and where*
63. All recently changed organizational units
64. All organizational units to which group policies are explicitly linked, and who can unlink linked policies
65. All organizational units to which group policies are not explicitly linked, and who can link policies to them
66. All organizational units for which a manager is not designated, and who can designate their manager
67. All organizational units for which a description is not specified, and who can specify their description
68. Who can generate resultant set of policy (logging-mode) for users/computers in an organizational unit
69. Who can generate resultant set of policy (planning-mode) for users/computers in an organizational unit
70. All containers, and who can change the security permissions protecting them
71. All empty containers, and who can create accounts, groups and containers within them
72. All recently created containers, and who can delete them
73. All recently deleted containers, and who can create containers, and where*
74. All recently changed containers
75. All containers for which a description is not specified, and who can specify their description
76. All group policy containers, and who can change the security permissions protecting them
77. All recently created group policy containers, and who can delete them
78. All recently deleted group policy containers, and who can create valid group policy containers
79. All recently changed group policy containers
80. All service connection points, and who can change the security permissions protecting them
81. All recently created service connection points, and who can delete them
82. All recently deleted service connection points, and who can create service connection points, and where*
83. All recently changed service connection points
84. All service connection points for which keywords are specified, and who can change their keywords
85. All service connection points for which DNS service names are specified, and who can change these names
86. All service connection points for which service bindings are specified, and who can change these bindings
87. All objects on which a security principal has any permissions
88. All objects on which a security principal has explicit / inherited permissions
89. All objects on which a security principal has allow / deny permissions
90. All objects on which a security principal has read/modify permissions / modify owner permissions
91. All objects on which a security principal has read-property permissions
92. All objects on which a security principal has write-property permissions
93. All objects on which a security principal has create-child / delete / delete-child / delete tree permissions
94. All objects on which a security principal has extended right permissions
95. All objects on which a security principal has validated write permissions
96. Who can change the maximum password age for domain user accounts
97. Who can change the minimum password age for domain user accounts
98. Who can change the lockout duration for domain user accounts
99. Who can change the lockout threshold for domain user accounts
100. Who can change the lockout observation window for domain user accounts

 

Kindly note that I was able to get this list from this source - Delegated Access Reports

To learn more, you can search for "Gold Finger for Active Directory".

It is very important to be know who is delegated what access in Active Directory because Active Directory is Very Important for Organizational Security.

How to determine the Resultant Set of Permissions in Active Directory

If you're a Windows IT Admin, you know that delegation of administration and provisioning of access for identity and access management is done in the Active Directory.

Delegating administration and provisioning access in Active Directory both basically involve setting up the right permissions for the right users and groups in the access control lists of Active Directory objects. In other words, Active Directory's security model is involved in delegating administration and provisioning access.

It so turns out that unlike the file system security model, the Active Directory security model is rather complicated because it involves many more permissions, (and I think) too many special permissions, potentially deep and arcane group nestings, inheritance of permissions and a whole range of factors which make it very difficult to really figure out what access someone may have in the Active Directory.

In this blog, I will make an attempt to try and unpeel some of these layers so we can all figure out exactly what all we needs to be takes into account to actually determine the resultant set of permissions in Active Directory.