Monday, October 29, 2012

How to Analyze and Audit Security Permissions in Active Directory?



I've been rather busy performing Active Directory Forestry for my clients, so have hardly had any time to blog, so thank you for pardoning my absence from this garden of my blog.

On a more serious note, we had a situation recently wherein we needed to find out who has what permissions in the Active Directory of one of our clients, primarily to see whether or not a specific IT admin may have had the delegated ability to reset the password of one of our Domain Admins.

So I was tasked with this responsibility. Now, I've been using PowerShell for many years, so  I initially started out with PowerShell with the hope of trying to find out where all that user may have had permissions, including of course based on memberships in nested groups, as this customer does have a lot of nested groups that are delegated access in their Active Directory.

After digging around with PowerShell with a bit, it quickly became clear that PowerShell was not powerful enough to make this determination. I mean I tried various ways for PowerShell to be able to help me find out where all this user had Explicit Allow Reset Password Permissions, including permissions granted via Full Control and including permissions granted to any groups to which this user might belong. Well, after trying for almost two days, I gave up with PowerShell.

The next step was to go to HomeDepot (i.e. the Internet) and look for any dedicated tools that might exist to do this, so I requested Google to help me find a good Permissions Analyzer for Active Directory.

Google basically returned 3 real choices to select from -
  1. Permissions Analyzer for Active Directory
  2. LIZA
  3. Gold Finger for Active Directory
I figured I'd try them all in order, and pick the best one for my needs, so I downloaded each one of them and gave them all a shot, only to find that of the three tools, only one of them actually did what I wanted to do.

Permissions Analyzer for Active Directory seems to be a very popular tool but as soon as I downloaded it and ran it, clouds of disappointment were all over the room because it turns out this tool doesn't actually analyze permissions in Active Directory! Why call a tool Permissions Analyzer for Active Directory if it does not analyze permissions in Active Directory - that's sadly misleading.

Next came LIZA. She downloaded instantly, installed instantly and was ready to go instantly. I was able to see my Active Directory tree in it and view permissions on individual objects, but I was unable to specify or find out where all this user may have had Explicit Allow Reset Password permissions in our Active Directory. So, with a heavy heart, I had to shelve that one too.

Finally came Gold Finger for Active Directory. I had wait for a license for about an hour, and as soon as I got it, I proceed to install it. I then fired it up and selected the Permissions Analyzer capability, and chose the option of finding out who has what permissions on an Active Directory tree.




Gold Finger for AD - Permissions Analyzer for Active Directory

Once I chose the option, there was a logical set of Find drop-downs, and I noticed that I could select from Find Explicit/Inherited/Both, Allow/Deny/Both, Any/A Specific permission type (in my case Extended Rights) and select from a list of all extended rights in our Active Directory (; I also noticed that it picked up Schema extensions) and that it had a "Include Nested Groups" option.

So I configured the find options, and clicked on the Gold Finger button, and in a few seconds, it had found me a list of all the security principals that had this combination of permissions granted. So I clicked upon this user's name, and it showed me all the user accounts on which the user had these permissions. Next, I clicked on one of these user accounts, and it showed me all the security permissions granted to this user in the ACL of that user account's ACL.

That was exactly what I was looking for, so I was happy that I had found something that could help me analyze permissions in our Active Directory easily. Ah, if only I could export the results to a CSV file, so I could then analyze these results in Excel as well - there was a CSV button, so I clicked on it and it popped up a familiar Save As dialog, so I specified a file name and clicked OK. Turns out the entire results-set was exported to a CSV file and ready for me to analyze in Excel.

That was the end of my search. We've been dabbling with Gold Finger for two weeks now and unearthing (pun intended) a lot of dirt (excessive security permissions) in our Active Directory.

It helped me save a lot of time and effort, so I thought I'd share my little finding on my blog.

If you're looking for a good permissions analyzer, check out the Permissions Analyzer capability of the Gold Finger Active Directory Audit Tool, which seems to have its own page at - Permissions Analyzer for Active Directory.

Cool stuff. Alright, back to the trenches, with my shovels and my spade.

Benjamin.