Effective Permissions displays incorrect information
Effective Permissions are essential for maintaining security, but, sadly, Microsoft's implementation of Effective Permissions aren't accurate and thus unreliable.
We too have been looking for a reliable way to determine Effective Permissions for some time now.
We would have been satisfied with a PowerShell Script, a command-line tool, or even a basic API that we could use, but in searching far and wide, for the longest time did not find anything.
Last month, I shared my frustration with our MS contact and he pointed us to a discussion on an SME forum - http://www.activedirsec.org/t49320432/why-does-the-effective-permissions-tab-in-active-directory-n/
Turns out a Microsoft partner has solved the problem by building an accurate Effective Permissions Tool called Gold Finger for AD. It is a minimalistic GUI based tool and does the job - worth checking out.
Related videos on Youtube
04 : 11
55 : 56
03 : 22
03 : 07
02 : 15
Zeb
Updated on September 18, 2022Comments
-
Zeb almost 2 years
I have a security mystery :) Effective permissions tab shows that a few sampled users (IT ops) have any and all rights (all boxes are ticked). The permissions show that Local Administrators group has full access and some business users have too of which the sampled users are not members of. Local Administrators group has some AD IT Ops related groups of which the sampled users, again, appear not be members. The sampled users are not members of Domain Administrators either. I've tried tracing backwards (from permissions to user) and forwards (user to permission) and could not find anything. At this point, there are three options:
- I've missed something and they are members of some groups.
- There's another way of getting full permissions.
- Effective Permissions are horribly wrong.
Is there a way to retrieve the decision logic of Effective Permissions? Any hints, tips, ideas?
UPDATE: The winning answer is number 3 - Effective Permissions are horribly wrong. When comparing outputs as ran from the server logged on as admin and when running it as a regular user from remote computer show different results: All boxes (FULL) access and on server - None. Actually testing the access, of course, denies access.
-
Zeb about 12 yearsSame result, unfortunately :(
-
Zeb almost 12 yearsHi. Nice script. i have somehting properietary myself as well. Unfortunately, the MaxTokenSize is set to 65k and I suspect that it isn't related.
-
ZEDA-NL almost 12 yearsIf it's set to 65K on all computers in the domain, then that won't be the problem. Good luck, please post any further outcome.
-
Hecter over 11 yearsAre you affiliated with Gold Finger in any way? If so, you are still welcome to mention the product, but you need to disclose your affiliation.
-
Zeb over 11 yearsPricey! I wonder if Gold Finger just implements its own ACL logic based on groups and ACLs or ....
