The world's most trusted forum on Active Directory Security

Post Info TOPIC: Why are Active Directory Effective Permissions SO Important? (What's the Big Deal?)


Posts: 1
Date: Jan 17, 2013
Why are Active Directory Effective Permissions SO Important? (What's the Big Deal?)


I would like to know why Effective Permissions in Active Directory are so important?

I ask because my colleagues over in our internal audit team have been repeatedly asking us if we have the ability to determine effective permissions on all our critical objects in Active Directory?

I'm not sure what the big deal is, or why they're repeatedly asking for this? We have a good delegation model in place, and have a decent idea of what we have delegated to which teams in out Active Directory, so what's the big deal with determining effective permissions in Active Directory?

I mean I suppose they must be of some importance as I have seen an Effective Permissions Tab when viewing Advanced Permissions in Active Directory, but by the same token, there is also an Auditing Tab.

I understand the value of auditing, and I know why its important, but what's the big deal with Effective Permissions and why is it so important to be able to determine Effective Permissions?

For now, I've just tol them that we have an Effective Permissions Tab in AD, so we're all set, and if they want, we can use it to fulfill any requests they might have, but I would like to understand if I am missing something here.

Thank you for your help with this.




Posts: 10
Date: Feb 28, 2013
RE: Why are Active Directory Effective Permissions SO Important? (What's the Big Deal?)

Hi Susan,

This is a very good and a very important question so I'll try and answer it as best as I can.

As you indicated, Effective Permissions is one of the four tabs that is visible in Active Directory Users and Computers / Administrative Center, when you're viewing an Active Directory object's properties and have clicked on Security, then on Advanced -


Active Directory Effective Permissions


The fact that it is one of the four tabs provided by Microsoft definitely must mean its important, and in fact, it is one of the most important requirements for Active Directory security, possibly even more important than auditing, as I have attempted to explained below -

As you may know, Active Directory stores and protects all domain user accounts that are used for authentication, as well as all computer accounts that facilitate secure distributed access, as well all security groups that are used to provision access across the network, as well as all admin accounts and groups that are used to manage Active Directory itself.

As you may also know, in almost every Active Directory, numerous groups and users are granted varying levels of modify permissions, ranging from simple write-property permissions to reset password permissions to complex delete permissions, which can be delete, or delete child or delete tree etc. Many times, there are more than one permissions granted in a single entry, such as Write-Property and Creat-Child, or Full Control etc.

As a result, if you look at the ACL of any Active Directory object, you'll find that there are many permission entries, each one granting (Allow) or denying (Deny) some user, group or well-known SID one or more permissions, and some of these entries may Inherited while others may be Explicit.

It turns out that these permission entries do not operate in isolation, but in fact operate in tandem to determine who really has what effective access on an Active Directory object.

For example, Jane may a member of a group X, which is allowed Write-Property permissions to the userAccountControl attribute but Jane may also be a member of Group Y, which is in turn a member of Group Z, and Group Z may be denied Full-Control on the object. In such a situation, what write-property access does Jane really have on the object? Can she modify its attributes or no? That depends on many factors, including for example, on whether the deny entry is an inherited one or explicit one, and whether the allow entry is an inhertied one or an explicit one.

In other words, what access does Jane effectively have on the object in regards to her ability to modify its attirbutes? Allow or Deny?

That answer is provided by Effective Permissions.

Effective permissions help us find out what access a user actually has on an Active Directory object, taking into account all the permission entries specified on that object, the permission types, the permission entry types (Allow/Deny, Inherited/Explicit) and the user's complete group memberships, including any nested memberships and well-known SID based access grants.

Thus, in order to find out what who actually has what access in Active Directory, one has to determine Effective Permissions in Active Directory. Without this, it is virtually impossible to find out who really has what access in Active Directory, and knowing who really has what access in Active Directory is very important because all the keys to all the doors in the kingdom reside in Active Directory i.e all user accounts and all group memberships.

For example, the need to know who can modify Domain Admin group memberships, or reset Domain Admin account passwords, or delete an OU full of users, or add themselves to a group that is being used to protect highly confidential data on a server, is most important, and it is effective permissions that answers this question.

This is why there is an Effective Permissions Tab in ADUC and Administrative Center. Without Effective permissions, there is no way to know who really has what effective access (rights) in Active Directory, and without knowing this, there is no way to adequately secure Active Directory.

(On a side note, sadly, it turns out that the Effective Permissions Tab in Active Directory has two major problems - a) it does not deliver accurate results, as documented here, and b) it requires that you enter each person's name individually to find out what permissions he/she has - if you have even just 100 people in your AD, imagine entering 100 names each time you want to know what access they have! That is very painful, impractical and in my opinion, thus almost useless.)

Anyway, I hope I was able to help you understand why effective permissions are SO important for Active Directory security. Your colleagues on the audit team are right, and I would highly recommend determining effective permissions on at least all of your critical AD objects such as all default administrative groups and all administrative accounts because their compromise could result in the compromise of the entire Active Directory.

If you need any clarification or help, please feel free to ask.

Best wishes



Women's eyes have pierced more hearts than ever did the bullets of war.


Posts: 8
Date: Apr 11, 2013
Why are Active Directory Effective Permissions SO Important? (What's the Big Deal?)

Hi Susan,

As Simone has pointed out, Active Directory Effective Permissions are essential to knowing who really has what access provisioned/delegated in an Active Directory deployment.

We learnt this by experience because for the longest time we (and out auditors) were looking to see who has what permissions in our Active Directory, particularly on critical objects like our Domain Admins and Enterprise Admins groups, and we would come up with a list of all users who had modify member attribute permissions or who had full-control, and we would furnish these lists to our auditors to document who could change our Domain Admins and Enterprise Admins groups.

One day we realized that about 1/4th of the people that were on the list could not actually changed the membership, and while we were initally puzzled, upon some investigation we found that there was a Deny permission for a nested group that denied all write-property permissions on the Domain Admins group. That is when we realized that we had to take the deny permissions into account as well, and while looking into it, we figured that what we needed to do was determine Effective Permissions on those objects, and not just list out who has what permissions.

(Unfortunately, we also found that at least half a dozen service accounts, two for Exchange and two for SMS Servers, could also change the membership of the Enterprise Admins group. Thankfully we caught this before someone realized, and were able to mitigate the exposure.)

To make a long story short, the only way to know who really has what access in Active Directory is to determine effective permissions on Active Directory objects. (By the way, there's a good write up on the subtle difference here in case it helps.)

Sadly, as Simone pointed out above, Microsoft's Effective Permissions Tab is woefully inaccurate, as discussed here as well.

Best wishes,



I would trade all my technology for an afternoon with Socrates - Steve Jobs

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me