The world's most trusted forum on Active Directory Security

Post Info TOPIC: How to determine Active Directory Effective Permissions with dsacls or acldiag


Posts: 1
Date: Aug 5, 2013
How to determine Active Directory Effective Permissions with dsacls or acldiag


I am trying to determine Effective Permissions on some of our Active Directory objects, but am hitting a roadblock, so I need some help. I am hoping someone on this forum can assist me.

The problem I am facing is that I have been asked to find out and report on the list of all our IT admins who have sufficient rights to reset the passwords of our Domain Admin accounts.

(We recently had a situation where a contractor who had somehow figured out that he had admin access on one of our Domain Admin accounts was able to reset the password of one of those accounts and use that access to obtain access to one of our criticial file servers.)

First I thought this should be easy as it is simply matter of reviewing the security permissions in the ACLs of the Domain Admin accounts. I am decently familiar with Active Directory access rights, group policies and Windows privileges, so I figured this would not be that difficult.

As I started looking, I found that we have some DENY permissions in place, as well as extensive delegation in place (although not as much on our admin accounts, which luckily are in a seperate OU.)

Anyway, I first tried to expand all the group memberships that had the Full Control access, and then subtract from that list anyone who had DENY access, but then there were also some permissions that had All Extended Rights, plus I realized that the DENY permissions were being inherited, so I wasn't sure if they would override any directly specified allow permissions. In a few minutes, it got pretty confusing, and it didn't seem that easy anymore

After doing some research online, I was able to figure out that I what I needed to do was determine Effective Permissions on these objects. So that was helpful, in that at least I know now what I need to do. The thing is that I wasn't quite sure how to do this.

One of my colleagues had suggested that this might be doable with dsacls or acldiag tools from Microsoft, so I figured I could use them to determine effective permissions. I tried the dsacls tool first but it seemed like it was more designed to modify permissions than to analyze permissions. So I moved on do acldiag.

The acldiag tool seemed to have better analysis capabilities, and I noticed the /geteffective flag in particular. So I tried that out. It did bring back some results, and at first I thought I had what I needed, but when I looked at it closely, it was not what I was looking for. It only seemed to get a list of the permissions that apply to the object. So for example, it showed the 3 deny permissions and the 28 allow permissions, but that was not what I was looking for

So now I am a little stuck, as I'm not sure how to go about figuring this out. Am I doing something wrong? Should I be using any specific flag combinations to figure this out?

We really need to find out who all (if anyone) can reset the passwords of our Domain Admin accounts, because those accounts are all powerful, so it is super critical for us to know this.

If anyone has any experience in dealing with this, it would be much helpful and appreciated.


> Gunter

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to
Members Login
    Remember Me