0

I have a security mystery :) Effective permissions tab shows that a few sampled users (IT ops) have any and all rights (all boxes are ticked). The permissions show that Local Administrators group has full access and some business users have too of which the sampled users are not members of. Local Administrators group has some AD IT Ops related groups of which the sampled users, again, appear not be members. The sampled users are not members of Domain Administrators either. I've tried tracing backwards (from permissions to user) and forwards (user to permission) and could not find anything. At this point, there are three options:

  • I've missed something and they are members of some groups.
  • There's another way of getting full permissions.
  • Effective Permissions are horribly wrong.

Is there a way to retrieve the decision logic of Effective Permissions? Any hints, tips, ideas?

UPDATE: The winning answer is number 3 - Effective Permissions are horribly wrong. When comparing outputs as ran from the server logged on as admin and when running it as a regular user from remote computer show different results: All boxes (FULL) access and on server - None. Actually testing the access, of course, denies access.

Improve this question
0

3 Answers 3

Reset to default
3

Effective Permissions are essential for maintaining security, but, sadly, Microsoft's implementation of Effective Permissions aren't accurate and thus unreliable.

We too have been looking for a reliable way to determine Effective Permissions for some time now.

We would have been satisfied with a PowerShell Script, a command-line tool, or even a basic API that we could use, but in searching far and wide, for the longest time did not find anything.

Last month, I shared my frustration with our MS contact and he pointed us to a discussion on an SME forum - http://www.activedirsec.org/t49320432/why-does-the-effective-permissions-tab-in-active-directory-n/

Turns out a Microsoft partner has solved the problem by building an accurate Effective Permissions Tool called Gold Finger for AD. It is a minimalistic GUI based tool and does the job - worth checking out.

Improve this answer
3
  • 1
    Are you affiliated with Gold Finger in any way? If so, you are still welcome to mention the product, but you need to disclose your affiliation.
    – Skyhawk
    Commented Nov 17, 2012 at 1:45
  • That tool definitely lives up to its name. The edition that includes the effective permissions functionality "starts" at $6,000. ;-)
    – Greg Askew
    Commented Nov 17, 2012 at 18:07
  • Pricey! I wonder if Gold Finger just implements its own ACL logic based on groups and ACLs or ....
    – Konrads
    Commented Nov 19, 2012 at 10:33
0

I'm not a Windows admin, but I've seen this AccessChk tool in use by my colleagues. Would it help you?

Just a shot in the dark by a Linux dude. :D

Improve this answer
1
  • Same result, unfortunately :(
    – Konrads
    Commented Jul 4, 2012 at 15:27
0

I've seen effective permissions go wrong myself (on Win2K3, but I think it can happen on Win2k8 too). I never figured out why for sure, but in my case it might have been related to the fact that users were member of too many groups (including subgroups).

If your users are member of 100+ groups you can check out this article: http://support.microsoft.com/kb/327825

Also, I wrote a HTA script to display the entire tree of groups a user is member of which helped me a lot. You can download it here: http://zeda.nl/EN/Blog/020_Overview_nested_groups

Improve this answer
2
  • Hi. Nice script. i have somehting properietary myself as well. Unfortunately, the MaxTokenSize is set to 65k and I suspect that it isn't related.
    – Konrads
    Commented Jul 10, 2012 at 13:51
  • If it's set to 65K on all computers in the domain, then that won't be the problem. Good luck, please post any further outcome.
    – ZEDA-NL
    Commented Jul 10, 2012 at 14:13

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .