Monday, October 29, 2012

How to Find Out Who is Delegated What Access in Active Directory?


Domain Admins and Enterprise Admins often delegate administrative tasks in Active Directory and from time to time need to know who is delegated what access in Active Directory.

How to Find Out Who is Delegated What Access in Active Directory?

The need to find out and audit delegated access grants in Active Directory has become very important to maintain Active Directory security. Unfortunately, it is not very easy to find out who is delegated what access in Active Directory correctly.



Active Directory ACL

The reason for this is that while many admins believe and assume that if you find out who has what permissions in Active Directory, it is the same as who is delegated what access in Active Directory.

This of course is not true, because what matters is not who has what permissions in Active Directory, but who has what effective permissions in Active Directory, and it is is very very difficult to try and find out who has effective permissions in Active Directory.

In summary, the problem is that it is very difficult to accurately determine Effective Permissions in Active Directory because there are many factors such as inheritance of permissions, ACE precedence orders, permissions granted via nested group memberships, inheritance only permissions etc.

In order to find out who is delegated what access in Active Directory, what is needed is the ability to correctly determine effective permissions in Active Directory and then mapping those effective permissions to administrative tasks, and the only way to do that correctly is via automation i.e. via an automated tool that can do this correctly.

The only Active Directory tool that I know of that can accurately determine who is delegated what access in Active Directory is the Gold Finger for Active Directory -


Active Directory Effective Delegated Access Reporter/Analyzer
(Acknowledgment: Image from www.active-directory-audit-tool.com)


Based on what I have heard, Gold Finger is the only tool that has the ability to do this accurately.

The following is a list of administrative tasks that I believe it can report on -
  1. All domain user accounts, and who can change the security permissions protecting them
  2. All administrative domain user accounts, and who can reset their passwords
  3. All active domain user accounts, and who can disable them
  4. All stale domain user accounts, and who can reset their passwords to login as them
  5. All unused domain user accounts, and who can reset their passwords to login as them
  6. All enabled domain user accounts, and who can disable them
  7. All disabled domain user accounts, and who can enable them
  8. All locked domain user accounts, and who can unlock them
  9. All recently created domain user accounts, and who can delete them
  10. All recently deleted domain user accounts, and who can create domain user accounts, and where*
  11. All recently changed domain user accounts
  12. All password-protected domain user accounts, and who can reset their passwords
  13. All smart-card protected domain user accounts, and who can disable the requirement of smart cards on them
  14. All domain-user accounts that do not require passwords to logon
  15. All domain user accounts whose passwords never expire, and who can change this setting
  16. All domain user accounts whose password must be changed at next logon, and who can change this setting
  17. All domain-user accounts that do not have an expiration date, and who can set an expiration date on them
  18. All domain-user accounts that are about to expire, and who can prevent them from expiring
  19. All domain user accounts that are sensitive and cannot be delegated, and who can change their sensitivity
  20. All domain user accounts that are not sensitive and can be delegated, and who can change their sensitivity
  21. All domain user accounts that can logon to any workstation, and who can change this setting
  22. All domain user accounts that can logon to specific workstations, and who can change the list of workstations
  23. All domain user accounts that can logon anytime, and who can restrict logon to specific times only
  24. All domain user accounts for which specific logon hours have been specified, and who can change the hours
  25. All domain user accounts for which a logon-script is specified, and who can specify a logon-script
  26. All domain user accounts for which a logon-script is not specified, and who can specify their logon-script
  27. All domain user accounts that do not have a description specified, and who can specify their description
  28. All domain computer accounts, and who can change the security permissions protecting them
  29. All active domain computer accounts, and who can disable them
  30. All stale domain computer accounts, and who can reset them
  31. All unused domain computer accounts
  32. All enabled domain computer accounts, and who can disable them
  33. All disabled domain computer accounts, and who can enable them
  34. All recently created domain computer accounts, and who can delete them
  35. All recently deleted domain computer accounts, and who can create domain computer accounts, and where*
  36. All recently changed domain computer accounts
  37. All domain computer accounts that are trusted for delegation
  38. All domain computer accounts that are trusted for unconstrained delegation
  39. All domain computer accounts for which a manager is not designated, and who can designate their manager
  40. All domain computer accounts for which a location is not specified, and who can specify their location
  41. All domain computer accounts for which a description is not specified, and who can specify their description
  42. Who can change the expiration date of a computer account, and of which accounts*
  43. Who can change the DNS name of a computer account, and of which accounts*
  44. Who can change the Service Principal Names (SPNs) of a computer account, and of which accounts*
  45. All domain security groups, and who can change the security permissions protecting them
  46. All domain security groups of a specific scope, and who can change their scope
  47. All administrative domain security groups, and who can change their memberships
  48. All empty domain security groups, and who can change their memberships
  49. All nested domain security groups, and who can un-nest them
  50. All domain security groups with large memberships, and who can change their memberships
  51. All domain security groups for which a manager is not designated, and who can designate their manager
  52. All domain security groups for which a description is not specified, and who can specify their description
  53. All recently created domain security groups, and who can delete them
  54. All recently deleted domain security groups, and who can create domain security groups, and where*
  55. All recently changed domain security groups
  56. All direct and nested members of a security group, and who can change their memberships
  57. Who can add/remove oneself to/from the membership of a security group, and to/from which groups*
  58. Who can change a security group into a distribution group, and which groups*
  59. All organizational units, and who can change the security permissions protecting them
  60. All empty organizational units, and who can create accounts, groups, containers and OUs within them
  61. All recently created organizational units, and who can delete them
  62. All recently deleted organizational units, and who can create organizational units, and where*
  63. All recently changed organizational units
  64. All organizational units to which group policies are explicitly linked, and who can unlink linked policies
  65. All organizational units to which group policies are not explicitly linked, and who can link policies to them
  66. All organizational units for which a manager is not designated, and who can designate their manager
  67. All organizational units for which a description is not specified, and who can specify their description
  68. Who can generate resultant set of policy (logging-mode) for users/computers in an organizational unit
  69. Who can generate resultant set of policy (planning-mode) for users/computers in an organizational unit
  70. All containers, and who can change the security permissions protecting them
  71. All empty containers, and who can create accounts, groups and containers within them
  72. All recently created containers, and who can delete them
  73. All recently deleted containers, and who can create containers, and where*
  74. All recently changed containers
  75. All containers for which a description is not specified, and who can specify their description
  76. All group policy containers, and who can change the security permissions protecting them
  77. All recently created group policy containers, and who can delete them
  78. All recently deleted group policy containers, and who can create valid group policy containers
  79. All recently changed group policy containers
  80. All service connection points, and who can change the security permissions protecting them
  81. All recently created service connection points, and who can delete them
  82. All recently deleted service connection points, and who can create service connection points, and where*
  83. All recently changed service connection points
  84. All service connection points for which keywords are specified, and who can change their keywords
  85. All service connection points for which DNS service names are specified, and who can change these names
  86. All service connection points for which service bindings are specified, and who can change these bindings
  87. All objects on which a security principal has any permissions
  88. All objects on which a security principal has explicit / inherited permissions
  89. All objects on which a security principal has allow / deny permissions
  90. All objects on which a security principal has read/modify permissions / modify owner permissions
  91. All objects on which a security principal has read-property permissions
  92. All objects on which a security principal has write-property permissions
  93. All objects on which a security principal has create-child / delete / delete-child / delete tree permissions
  94. All objects on which a security principal has extended right permissions
  95. All objects on which a security principal has validated write permissions
  96. Who can change the maximum password age for domain user accounts
  97. Who can change the minimum password age for domain user accounts
  98. Who can change the lockout duration for domain user accounts
  99. Who can change the lockout threshold for domain user accounts
  100. Who can change the lockout observation window for domain user accounts
 
Kindly note that I was able to get this list from this source - Delegated Access Reports

To learn more, you can search for "Gold Finger for Active Directory".

It is very important to be know who is delegated what access in Active Directory because Active Directory is Very Important for Organizational Security.

Friday, June 11, 2010

How to determine the Resultant Set of Permissions in Active Directory

If you're a Windows IT Admin, you know that delegation of administration and provisioning of access for identity and access management is done in the Active Directory.

Delegating administration and provisioning access in Active Directory both basically involve setting up the right permissions for the right users and groups in the access control lists of Active Directory objects. In other words, Active Directory's security model is involved in delegating administration and provisioning access.

It so turns out that unlike the file system security model, the Active Directory security model is rather complicated because it involves many more permissions, (and I think) too many special permissions, potentially deep and arcane group nestings, inheritance of permissions and a whole range of factors which make it very difficult to really figure out what access someone may have in the Active Directory.

In this blog, I will make an attempt to try and unpeel some of these layers so we can all figure out exactly what all we needs to be takes into account to actually determine the resultant set of permissions in Active Directory.