Reverse Engineer Active Directory Effective Permissions

Is there a "tool" available that will reverse engineer the effective permissions for a user for a particular AD object?

Using AD Management object it is simple to access the effective permissions for a particular user on a particular object.  Is there a tool that will reverse the effective permissions and detail how the permission is assigned, ie via which group membership and at which level of the OU structure?

Using the AD Management Snap In is not an option as the number of group memberships combined with group nesting and OU structure make too many options to check.  Coding a solution is not desireable.

Thanks Sash

LVL 8
SashPAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cfairleyCommented:
Hello SashP,

Currently, I use Active Administrator from Script Logic for this purpose.  It's a pricy tool ($7 per user) but it's worth it.  You can download the trial and check it out.

http://www.scriptlogic.com/eng/products/activeadmin/main.asp

Thanks,
Chris
0
SashPAuthor Commented:
Thanks Chris

I will check it out, but with in excess of 25,000 users it sounds like it may be a little difficult to get approved.  I assume that you mean $7 per user in the environment rather than $7 per installation.

Cheers Sash
0
cfairleyCommented:
Yes, that's about $7.00 to $7.50 per user account in AD.  I only support 3,000 users and it makes my job a lot easier.  Not only does it map the security permissions, but you can install agents on your DCs that will email you for every change that happens in AD, if you audit to that extent.  I really like knowing if the membership changed for any of my global groups.  Not to mention the management of GPs.  Anyway, if you are serious about the product, I can put you in touch with an agent I know.  My email is in my profile.

Thanks,
cfairley
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Netman66Commented:
Does this help?

http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5540

There is a Resource Kit tool called, "SHOWACL.EXE" that might be what you are looking for.

0
SashPAuthor Commented:
Netman

Thanks for the input, however I was under that SHOWACLS details permissions on NTFS objects and not AD objects.  If I have misunderstood the use of SHOWACLS any input would be welcome.

The problem that I encountering is that users that should not have the ability to change the group membership of particular security groups are in fact able to.  The permission has not been granted directly to the user but has been granted either by nested group membership or permissions granted further up the OU structure.  I need to determine where the permission has been granted and to what group.

Cheers Sash
0
cfairleyCommented:
Sash,

That was about the exact issue I was having.  To go about it the long way, I would find the group that was changed, right-click to show the permissions, click advanced to see the ACL.  Then I would list the group membership of the user that changed the group.  Then compare the two lists to see which group the user is a member of that is listed the the ACL for the group that was changed.  Of course, this is assuming that you know the two key things, the specific user and the specific group.  It can get a little hairy because now you have to check other OUs.
0
SashPAuthor Commented:
Chris

I have downloaded and installed the Active Administrator, however I have been unable to determine how to use it to acheive the result that I am after.

How would I use it to determine how user "john doe" obtains the right to "Create All Child Object" in AD Object "xyz".  The problem that I face is that user john doe has not been granted permissions, none of john doe's groups have been granted permission directly to the object, so I am searching for a nested group which has permission to the object via inheritance.

I know how to do it group by group using the AD management snap in but it takes too long.

Cheers Sash.
0
cfairleyCommented:
Sash,

I didn't think you wanted the long way.  

While in the AA Console, add a DC to manage, right-click the specific OU and select "Find permissions" and then you can search by user, group, or in your case, all permissions.  You can also click on the particular OU or the top of the AD tree.  That may not answer directly, but I have to leave work, get home, and then VPN to do some more work tonight.  I will look into it some more tonight.

Thanks,
cfairley
0
cfairleyCommented:
Also, when the "search for ad permissions" box comes up, you can also search by the particular access right.
0
SashPAuthor Commented:
Thanks Chris I will investigate further, thanks for the input.
0
Netman66Commented:
You are correct - I misunderstood your question.

If a user has the ability to add and remove from a group, the issue could be one of two things:

1)  The group is located in the OU he/she is a delegated Administrator for.

2)  The group is incorrectly nested in an OU too low in the hierarchy - all Security Groups out of bounds to users should be higher in the tree than the user account in question.

I think there is another tools that gives group memberships - actually, you can use GPRESULT and pipe it to a text file.  Although this tools is used to give you GPO results, a byproduct is that it lists all the groups the logged in user is a member of.  Of course, that means that you'll need to run it from that user's session to get the result.  The nice thing is that this tool is free with XP!!

I will see about a Reskit tool.

0
SashPAuthor Commented:
No probs Netman

The problem is most definitely item 1) however the issue then becomes how to quickly identify where the problem exists.  

The problem isn't identifying group membership.

The issue is when you have a user with about 100 groups and group nesting, how do you quickly identify which group is granting the "effective permission" and which object is it granted on.

Cheers Sash
0
Netman66Commented:
I understand the issue you have.  It is a fairly common problem.

I could have sworn there was a Resource Kit tool for this - either in the 2000 or 2003 kit.

I'll keep digging.


0
SashPAuthor Commented:
Thanks Netman, I appreciate it.

I am almost resigned to having to code it.

Cheers Sash
0
Netman66Commented:
This tool looks promising - it might do what you want it to when run at the DC.

http://www.microsoft.com/Resources/Documentation/windowsserv/2003/all/techref/en-us/showpriv.asp

Let me know.

0
Netman66Commented:
Hey..I found this:

http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/acl_effective_perm.asp

..but it fails to tell us where to find it!

I'm working with MS right now - standby!

0
cfairleyCommented:
Sash,

Sorry the Active Administrator tool is not working for you.  I thought sure it would.  When I use it, I can search for specific rights on specific objects and it gives me a list of the groups that have that specific access to the resource.  However, the tool that Netman66 suggested might work for you.  Usually, 3rd party tools are a combination of various resource tools and other tools from Microsoft working together.

Thanks,
Cfairley
0
SashPAuthor Commented:
Chris

I haven't yet ruled out Active Administrator I am still investigating the tool, however it does not appear to be giving me the results that I want.

For example:

I have an AD user object that EVERYONE has permission to read and the effective permissions tool in 2003 Server correctly identifys this for user X, and Active Administrator correctly identifies that EVERYONE has read permission, but when I select a specific user and serach permissions it does not identify that the user has permissions granted by the permission being granted to EVERYONE.

Am I doing something wrong?
0
Netman66Commented:
Sash,

One of my MVP peers has a website you'd be interested in.

Part of the answer you want might lie in this tool: http://www.joeware.net/win/free/tools/memberof.htm

At least it should dump group membership.  We can now focus on the specific permission you want to remove.

Let me know where to go next.

NM


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SashPAuthor Commented:
Thanks NM

I have already finished the vbScript that extracts the Group Membership info from AD using ADSI and LDAP.
The process is now to start at the top level object and back trough the OU structure to find where the permission has been granted and on which object.
There is no real issue in how to do it, I am just so surprised that there aren't tool(s) that can do this.
I appreciate all the help I have got from both you and Chris, I will continue on with the code and see how I go, finding the issue wasn't the real problem, the problem is how do I solve it quickly next time.

Thanks Guys
0
Netman66Commented:
Ok.

If the right has been granted via Delegation of Control, it might not be easy to locate.  It seems to me that MS is aware that Delegation creates this problem of not knowing where rights are coming from when things go wrong.

I would be interested in hearing your post-mortem when you figure it out.

Would you mind following up with this when you're done??  It would be of value to us.

Thanks.
NM
0
SashPAuthor Commented:
No problems, it is the least I can do after the assistance you have given.

Cheers Sash
0
cfairleyCommented:
I'm with Netman66, I want to know also.  Maybe we will even give you some points :)

Nice working with you Netman66
0
Netman66Commented:
Likewise.  I would sure offer points to hear the results also!

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.