ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: How to view an Active Directory / Windows domain user's access token?
Rob


Member

Posts: 7
Date: Jun 20, 2012
How to view an Active Directory / Windows domain user's access token?
Permalink  
 


Hello again,

I am also looking for a solution to help us view an Active Directory / Windows domain user's access token.

We need this capability to b able to peek into the tokens of some of our user accounts and see what all groups they belong to. This is needed because some of our user's are close to hitting the 1024 SIDs in a token limitation.

We tried using the TokensZ tool from Microsoft but foudn it to be insufficent for our need in that it would only show an approximation of the number of SIDs in a user's token, and/or it would only show the SIDs but not provide descriptive information about the SID, leaving us to determine which group the SID belongs to.

What we need is something that can help us view and document the list of all SIDs that show up in a specificable user's access token, as well as the name of the groups that these SIDs correspond to, so we can identify them and do what we need to minimize group membership nestings.

If anyone knows of something that can help us with this, it would be greatly appreciated if you could point us in the right direction.

Thank you.

-Rob



__________________


Member

Posts: 10
Date: Jun 26, 2012
RE: How to view an Active Directory / Windows domain user's access token?
Permalink  
 


Hi Rob,

Sorry for stating the most obvious path here, but I'm assuming you've tried Googling "view a user's access token" or "access token viewer".

Beyond the obvious, I can only share snippets from our attempts to deal with this in the past. Basically, we found some discussions online about some amateur developers trying to figure this out, but beyond that haven't really come across any way to do so.

Sorry, but pointing you to Google is the best I could come up with for this.

-Danny



__________________


Member

Posts: 16
Date: Jun 26, 2012
RE: How to view an Active Directory / Windows domain user's access token?
Permalink  
 


Rob,

Please don't quote me on this, but I believe that trying to fetch the "tokengroup" attribute with PowerShell could get you an approximation of a user's access token. Whether an approximation is good enough for you I do not know.

I'm sure there are solutions out there that could help you figure this out. I know Microsoft's whoami utility can show you the contents of your token, but it can only show you your own token, not that of another user.

Hope this helps.

-John.

 



__________________


Member

Posts: 6
Date: Jun 29, 2012
How to view an Active Directory / Windows domain user's access token?
Permalink  
 


Hi Benji,

We've been looking for a way to view the access token of some users as well. We had a need to determine whether or not a user had modify access to one of our directories, and the easiest way to make that determination was to compare the user's access token with the ACL on the directory.

In my search I came across a few partially helpful links - 

1. How to get Calling-Process Windows User Access Token

2. What's in an Access Token

3. Viewing Access Tokens

It would be really helpful if there was a tool that could make it easy to view another user's access token. Unfortunately, I don't think one exists. 

Hope the links above help.

Benji.



__________________
Tower, this is Ghost Rider requesting a flyby!


Veteran Member

Posts: 28
Date: Jul 20, 2012
How to view an Active Directory / Windows domain user's access token?
Permalink  
 


Guys,

I think this may be just what you're looking for - Windows Access Token Viewer.

Quoting from the site -

"...lets you view the complete access token of any user domain user account."

(Its part of a tool (Gold Finger for AD) we use to fulfill our delegated access related audit/analysis needs, and this happens to be one of its capabilities.)

Good luck.

Jack.



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me