How to Audit Security Permissions and Access Rights in Active Directory

Active Directory is the foundation of security and IT management in Windows Server based IT infrastructures. It stores and protects all the building blocks of security, including the user accounts used for authentication, the security groups used for authorization to all resources stored on all servers, and auditing of all identity and access management tasks. In addition, it is the focal point of administrative delegation in Windows based environments.

As a result, a substantial amount of access provisioning is done in Active Directory to fulfill business requirements such as the following –


  1. Delegation of administrative duties to fulfill IT quartzbanger management needs and gain cost efficiencies
  2. Provisioning of access to group owners and managers for project specific group management
  3. Provisioning of access to line-of-business and other service accounts of AD integrated services
  4. Provisioning of access for in-house or vendor supplied AD integrated applications
  5. Provisioning of access for security/other services that assist in identity/access management


In most AD environments, access provisioning has been an ongoing activity for years, and as a result, in most deployments, substantial amounts of access provisioning have been done, Directorylisting and thus there are literally thousands of permissions granting varying levels of access to numerous individuals, groups and service accounts.

The Need to Audit Active Directory Permissions

The need to audit Active Directory (AD) markd permissions is a very important and a very common need for organizations. It is very common, because in all organizations, various stakeholders have a need to know things like –


  1. Who has what access in AD?
  2. Who has what access on specific objects in AD?
  3. Who can perform what operations on specific AD OUs?
  4. Who is delegated what administrative tasks, where in AD, and how?


The need to have answers to these questions is driven by various aspects of IT and security management such as –


  1. IT audits driven by internal needs and/or regulatory compliance needs
  2. Security risk assessment and mitigation activities aimed at managing risk
  3. Security vulnerability assessment and penetration testing results


In all such cases, the one commonality is the need to know who has what access in AD, and that one need can be fulfilled by performing an Active Directory access audit. Buy Weed Online Australia

How to Audit Active Directory Permissions

The need to audit Active Directory permissions is thus a common need for the reasons stated above. In most organizations, numerous IT personnel, in various roles, such as Domain Admins, Delegated Admins, IT Security Analysts, IT Auditors, IT Managers, Application Developers and other all at some point or the other have a need to find out who has what access in Active Directory, either on a single Active Directory object, or in an OU of objects, or across an entire Active Directory domain.

To fulfill this need, most IT personnel turn to performing an audit of Active Directory permissions, with the hope of being able to find out who has what access in AD, on one or more objects, and thus they attempt to audit Active Directory permissions to fulfill this vital need.

However, there is a very important point that most IT personnel often inadvertently miss, which is that what they actually need to find out is not who has what permissions in Active Directory, but who has what effective permissions in Active Directory. For more info please visit

As a result, they continue to invest substantial time and effort in trying to audit AD permissions via command-line tools, scripts and other means. In doing so, they usually not only end up losing substantial time and effort, but more importantly, they end up with inaccurate data, reliance upon which can lead to incorrect access decisions, and this can result in the introduction of unauthorized access in AD, which can pose a serious risk to their security.

The reason that one needs to know who has what effective permissions in AD and not who has what permissions in AD, is that it is effective permissions/access that impacts what access a user actually has in AD.

The Difference Between Permissions And Effective Permissions in Active Directory

The difference between permissions and effective permissions in Active Directory is very important to understand because it can mean the difference between accurate information and inaccurate information and consequently the difference between security and compromise.

The permissions a user has in Active Directory are merely the permissions that are granted to a user in various access control entries (ACEs) in an ACL. Such permissions could be of type Allow or Deny, and be Explicit or Inherited. They could also apply to an object, or not apply, as is the case wherein they only exist to be inherited downstream to other child objects on to which they might apply.

In contrast, the Effective Permissions a user is the resultant set of permissions that he/she has when you take into account all the permissions that might apply to him/her, in light of all access control rules like Denies overriding Allows, and Explicit overriding Inherited permissions, and based on all expansions of any access granted to any and all security groups to which the user might belong, directly or via nested group memberships as well as via the interpretation of special SIDs like Self, Everyone, Authenticated Users etc.

In reality, when a user attempts to access the AD to perform any operation, such as reading data, creating an object, modifying an attribute, deleting an object etc, whether or not the requested access is granted depends on his/her effective permissions, which is what the system calculates based on all the permissions that apply to him/her, based on the factors described above.







Leave a Reply

Your email address will not be published. Required fields are marked *