>How to Audit Security Permissions and Access Rights in Active Directory by William H Edwards

Active Directory is the foundation of security and IT management in Windows Server based IT infrastructures. It stores and protects all the building blocks of security, including the user accounts used for authentication, the security groups used for authorization to all resources stored on all servers, and auditing of all identity and access management tasks. In addition, it is the focal point of administrative delegation in Windows based environments.

As a result, a substantial amount of access provisioning is done in Active Directory to fulfill business requirements such as the following:

1. Delegation of administrative duties to fulfill IT management needs and gain cost efficiencies

2. Provisioning of access to group owners and managers for project specific group management

3. Provisioning of access to line-of-business and other service accounts of AD integrated services

4. Provisioning of access for in-house or vendor supplied AD integrated applications

5. Provisioning of access for security/other services that assist in identity/access management

In most AD environments, access provisioning has been an ongoing activity for years, and as a result, in most deployments, substantial amounts of access provisioning have been done, and thus there are literally thousands of permissions granting varying levels of access to numerous individuals, groups and service accounts.

The Need to Audit Active Directory Permissions

The need to audit Active Directory (AD) permissions is a very important and a very common need for organizations. It is very common, because in all organizations, various stakeholders have a need to know things like:

1. Who has what access in AD?
2. Who has what access on specific objects in AD?
3. Who can perform what operations on specific AD OUs?
4. Who is delegated what administrative tasks, where in AD, and how?

The need to have answers to these questions is driven by various aspects of IT and security management such as:

1. IT audits driven by internal needs and/or regulatory compliance needs
2. Security risk assessment and mitigation activities aimed at managing risk
3. Security vulnerability assessment and penetration testing results

In all such cases, the one commonality is the need to know who has what access in AD, and that one need can be fulfilled by performing an Active Directory access audit.

How to Audit Active Directory Permissions

The need to audit Active Directory permissions is thus a common need for the reasons stated above. In most organizations, numerous IT personnel, in various roles, such as Domain Admins, Delegated Admins, IT Security Analysts, IT Auditors, IT Managers, Application Developers and other all at some point or the other have a need to find out who has what access in Active Directory, either on a single Active Directory object, or in an OU of objects, or across an entire Active Directory domain.

To fulfill this need, most IT personnel turn to performing an audit of Active Directory permissions, with the hope of being able to find out who has what access in AD, on one or more objects, and thus they attempt to audit Active Directory permissions to fulfill this vital need.

However, there is a very important point that most IT personnel often inadvertently miss, which is that what they actually need to find out is not who has what permissions in Active Directory, but who has what effective permissions in Active Directory.

As a result, they continue to invest substantial time and effort in trying to audit AD permissions via command-line tools, scripts and other means. In doing so, they usually not only end up losing substantial time and effort, but more importantly, they end up with inaccurate data, reliance upon which can lead to incorrect access decisions, and this can result in the introduction of unauthorized access in AD, which can pose a serious risk to their security.

The reason that one needs to know who has what effective permissions in AD and not who has what permissions in AD, is that it is effective permissions/access that impacts what access a user actually has in AD.

The Difference Between Permissions and Effective Permissions in Active Directory

The difference between permissions and effective permissions in Active Directory is very important to understand because it can mean the difference between accurate information and inaccurate information and consequently the difference between security and compromise.

The permissions a user has in Active Directory are merely the permissions that are granted to a user in various access control entries (ACEs) in an ACL. Such permissions could be of type Allow or Deny, and be Explicit or Inherited. They could also apply to an object, or not apply, as is the case wherein they only exist to be inherited downstream to other child objects on to which they might apply.

In contrast, the Effective Permissions a user is the resultant set of permissions that he/she has when you take into account all the permissions that might apply to him/her, in light of all access control rules like Denies overriding Allows, and Explicit overriding Inherited permissions, and based on all expansions of any access granted to any and all security groups to which the user might belong, directly or via nested group memberships as well as via the interpretation of special SIDs like Self, Everyone, Authenticated Users etc.

In reality, when a user attempts to access the AD to perform any operation, such as reading data, creating an object, modifying an attribute, deleting an object etc, whether or not the requested access is granted depends on his/her effective permissions, which is what the system calculates based on all the permissions that apply to him/her, based on the factors described above.

As a result, the only way to find out who really has what access in Active Directory is to determine effective permissions, not to determine what permissions a user has in Active Directory.

How to Determine/Audit Effective Permissions in Active Directory

If you are ever trying to find out who has what access in AD, or who is delegated what access or tasks, what you need to determine/audit is effective permissions, not simple permissions. So the question then is how does one determine/audit effective permissions in AD.

It turns out that because this concept of effective permissions is so important, there is in fact an Effective Permissions Tab dedicated to determining/auditing effective permissions in Active Directory in the Active Directory Users and Computers Snap-In / Administrative Center Microsoft tools, and this can be accessed by clicking the Security Tab and then clicking on Advanced.

However, the issue with this tab is that it is not always accurate and thus is difficult to rely upon for accurate results. One other issue with it is that at any point, it can only show you what effective permissions a given user has, so in order to find out exactly who all have certain effective permissions on an object, you need to manually enter the identity of every individual in your domain.

While this may be doable in small domains containing only a few users, in domains with thousands of users, this becomes practically unusable because it requires that you enter the identity of every user in the domain and that could take a very long time.

As a result, even though there is an entire tab dedicated to the determination of effective permissions in AD in Microsoft's native tools, it is hardly useful, and leaves IT personnel with a very difficult and important problem to solve themselves.

In order to determine effective permissions, one needs to manually inspect all the security permissions specified in an object's ACL and manually determine effective permissions by taking into account all the factors involved in making this assessment accurately.

Such factors include aspects such as but not limited to the identification of all permissions that are applicable to each object, the expansion of all security groups and intersection of all relevant explicit and inherited permissions.

This process can take a considerable amount of time but it is vital to security and thus essential for operating a secure AD. This process can also take a considerable amount of time to perform but the recent available of tools that can automate this process can help save organizations substantial time and effort.

Auditing Permissions in Active Directory

As mentioned above, most times, what IT personnel need to audit is Effective Permissions, and not just simple Permissions in AD. However, there are times, when you are trying to audit permissions in Active Directory.

This is usually needed to answer questions like:

1. Where does a particular user/group have permissions granted in AD?
2. Where does a specific user/group have a specific type of permissions in AD?
3. Who is granted explicit/inherited permissions in/on an OU in AD?
4. Which users/groups have what permissions on an AD object / in an OU/domain?

In such cases, one does need to audit permissions in AD and the easiest way to audit permissions in AD is by using a good Active Directory Permissions Analyzer. The benefit of using a good permissions analyzer is that it can help you find out who has what permissions where in AD automatically, thus doing all the hard work for you.

The other way is to try and dump AD ACLs/permissions of all the objects in the OU/domain to an excel file, and then try and perform your own filtering and analysis. The downside of this approach is that you'll still need to do things like expand group memberships, identify individual permissions specified in access bit masks etc. yourself but with some effort it is possible to do it.

As indicated earlier though, if you are trying to audit AD permissions for the purpose of determining who has what access in AD, or whether a specific individual has specific access on a specific AD object, what you need to do is correctly determine effective permissions in Active Directory.

In Summary

In summary an Active Directory Access Audit involves the determination of effective permissions in Active Directory and one often needs to perform extensive Active Directory Security Analysis to perform an access audit and determine effective permissions.

Paramount Defenses develops and delivers high-value Active Directory focused cyber security solutions to help organizations attain and maintain adequate Active Directory Security. Its innovative solutions, such as the world's most capable Active Directory Permissions Analyzer, the world's only accurate Active Directory Effective Permissions Tool and the world's only accurate Active Directory Delegation Audit Tool, are endorsed by Microsoft and help solve valuable problems.

Learn more at

More Windows Administration Information:
• Set Up Parental Controls
• Guide To Setting Up Dual Monitors
• Common Issues With Windows Firewall
• Cortana, Assistant or Spy?
• How to Harden a Server
• Microsoft Licensing Explained
• PC Technician's Guide to Providing Telephone Support
• How to Become a Microsoft MVP (Most Valuable Professional)
• Create and Change Password, Picture and User Name in Windows 7
• SMART Disk Drives Warn You Before They Fail