Monday, October 29, 2012

How to Analyze and Audit Security Permissions in Active Directory?

I've been rather busy performing Active Directory Forestry for my clients, so have hardly had any time to blog, so thank you for pardoning my absence from this garden of my blog.

On a more serious note, we had a situation recently wherein we needed to find out who has what permissions in the Active Directory of one of our clients, primarily to see whether or not a specific IT admin may have had the delegated ability to reset the password of one of our Domain Admins.

So I was tasked with this responsibility. Now, I've been using PowerShell for many years, so  I initially started out with PowerShell with the hope of trying to find out where all that user may have had permissions, including of course based on memberships in nested groups, as this customer does have a lot of nested groups that are delegated access in their Active Directory.

After digging around with PowerShell with a bit, it quickly became clear that PowerShell was not powerful enough to make this determination. I mean I tried various ways for PowerShell to be able to help me find out where all this user had Explicit Allow Reset Password Permissions, including permissions granted via Full Control and including permissions granted to any groups to which this user might belong. Well, after trying for almost two days, I gave up with PowerShell.

The next step was to go to HomeDepot (i.e. the Internet) and look for any dedicated tools that might exist to do this, so I requested Google to help me find a good Permissions Analyzer for Active Directory.

Google basically returned 3 real choices to select from -
  1. Permissions Analyzer for Active Directory
  2. LIZA
  3. Gold Finger for Active Directory
I figured I'd try them all in order, and pick the best one for my needs, so I downloaded each one of them and gave them all a shot, only to find that of the three tools, only one of them actually did what I wanted to do.

Permissions Analyzer for Active Directory seems to be a very popular tool but as soon as I downloaded it and ran it, clouds of disappointment were all over the room because it turns out this tool doesn't actually analyze permissions in Active Directory! Why call a tool Permissions Analyzer for Active Directory if it does not analyze permissions in Active Directory - that's sadly misleading.

Next came LIZA. She downloaded instantly, installed instantly and was ready to go instantly. I was able to see my Active Directory tree in it and view permissions on individual objects, but I was unable to specify or find out where all this user may have had Explicit Allow Reset Password permissions in our Active Directory. So, with a heavy heart, I had to shelve that one too.

Finally came Gold Finger for Active Directory. I had wait for a license for about an hour, and as soon as I got it, I proceed to install it. I then fired it up and selected the Permissions Analyzer capability, and chose the option of finding out who has what permissions on an Active Directory tree.

Gold Finger for AD - Permissions Analyzer for Active Directory

Once I chose the option, there was a logical set of Find drop-downs, and I noticed that I could select from Find Explicit/Inherited/Both, Allow/Deny/Both, Any/A Specific permission type (in my case Extended Rights) and select from a list of all extended rights in our Active Directory (; I also noticed that it picked up Schema extensions) and that it had a "Include Nested Groups" option.

So I configured the find options, and clicked on the Gold Finger button, and in a few seconds, it had found me a list of all the security principals that had this combination of permissions granted. So I clicked upon this user's name, and it showed me all the user accounts on which the user had these permissions. Next, I clicked on one of these user accounts, and it showed me all the security permissions granted to this user in the ACL of that user account's ACL.

That was exactly what I was looking for, so I was happy that I had found something that could help me analyze permissions in our Active Directory easily. Ah, if only I could export the results to a CSV file, so I could then analyze these results in Excel as well - there was a CSV button, so I clicked on it and it popped up a familiar Save As dialog, so I specified a file name and clicked OK. Turns out the entire results-set was exported to a CSV file and ready for me to analyze in Excel.

That was the end of my search. We've been dabbling with Gold Finger for two weeks now and unearthing (pun intended) a lot of dirt (excessive security permissions) in our Active Directory.

It helped me save a lot of time and effort, so I thought I'd share my little finding on my blog.

If you're looking for a good permissions analyzer, check out the Permissions Analyzer capability of the Gold Finger Active Directory Audit Tool, which seems to have its own page at - Permissions Analyzer for Active Directory.

Cool stuff. Alright, back to the trenches, with my shovels and my spade.


Friday, June 18, 2010

Can Levelling a Forest be a Good Thing?

To most people, the thought of levelling a forest sounds disconcerting - after all, why would you want to level a forest, especially when the world's running out of them!

Worry not! We're actually referring to a different kind of forest, of which there are thousands in the world, and we're not actually levelling them, but rather raising their levels!

What on earth are we talking about? We're talking about Active Directory forests, which exist in virtually nine of out of ten organizations, and we're referring to the technical concept of raising the level of such a forest so as to enable greater functionalities and abilities.

For instance, if you raised the level of an Active Directory forest to Windows Server 2008 R2, you could actually of some really cool and advanced features such as the Active Directory Recycle Bin!

Now couldn't the world use more Recycle Bins! Oh well, perhaps we could cover them in our next post on Active Directory forestry!

So you see levelling a forest can be a good thing, just as long as its an Active Directory forest!


Friday, June 11, 2010

Its all about Forests and Trees

You can't have Active Directory without having a forest, and where's there's a forest, there will be trees! If you're into forestry, you know that the fewer trees the better, for it takes some real hardword to maintain a forest, given how many elements it is exposed to, and how much change its little branches goes through everyday.

With the right approach, some patience, and the right toosl however, you can certainly take good care of it, and as long as the sun keeps shinig, it'll continue to stay evergreen!

More later...

Wednesday, May 12, 2010

Active Directory Forestry

If you're not familiar with Active Directory, you're probably wondering as to what kind of tree Active Directory tree, and if you are familiar with Active Directory, you know exactly what kind of tree Active Directory is (; correct, its an inverted hierarchical tree.)

And no its not your regular real-life tree, but rather a relationship tree of (instances of) objects each of which happen to store meaningful data and happened to be either a parent or a child, although it can afely be said that all parents were also children once.

Alright, let this not confuse you further - this is basically a non-techie's blog on a techie subject, and thus the arcane approach, partly meant to vex you and partly to amuse you, but mostly to share and educate!

Now that I've sown the sapling, over time, we'll see this tree grow!

Happy shoveling,