(2013-05-29) Taking Control Over Your AD Permissions With The AD ACL Scanner Tool
Posted by Jorge on 2013-05-29
A Swedish Microsoft PFE, Robin Granberg, has created a very cool PowerShell script to inventory, and even compare with a previous output, your AD permissions/delegations. All kudos/credits of course go to Robin for this amazing script!
REMARK: Some of the pictures were changed by me as I used the tool in my own environment and I also added some comments!
<QUOTE SOURCE=”Take Control Over AD Permissions And The AD ACL Scanner Tool”>
WHAT IS THE STATE OF YOUR DELEGATION?
Have you a documented and recent report over the permissions in your Active Directory?
Have you granted permissions on the relevant OU’s in the past and left it like this ever since??
Maybe it’s time to take a look again to see what’s actually delegated in Active Directory?
Things you probably find when re-visiting the permissions:
- Permissions given to users or groups that do not exist anymore;
- Permissions set to high up in the OU structure so users have the possibility to create/delete/modify Active Directory objects in the wrong places;
- The permissions grant the user more than needed e.g. Helpdesk is supposed to reset passwords on user accounts in the defined OU but can create/delete any type of objects;
- Same set of permissions delegated to two groups. Usually only one group is needed for one set of permissions;
- Permissions granted to users or groups that are not needed anymore. This can happen when enabling a project to create objects for a limited period of time or if there were a transition between out-sourcing partners.
WHAT TO DO?
Every Active Directory should have a documented delegation model that includes the permissions set for the data in Active Directory. I’m not saying you should type down every single permission on every object, but the permissions that is needed for you organization to be able to perform their given tasks.
<COMMENT BY JORGE>
In addition to running this tool, you might to perform additional work. That really depends on the group structure you have implemented within your AD. For example: you might have one of the following models:
- User –> Security Group –> AD ACE
- User –> Security Group (Role) –> Security Group (Scoped Task) –> AD ACE
- User –> Security Group (Role) –> Security Group (All Scoped Tasks Combined) –> Security Group (Scoped Task) –> AD ACE
[AD.1] Examples For: User –> Security Group –> AD ACE
ADCORP\JORGE –> ADCORP\GRP_ServiceDesk –> “Allow:Reset Password”
ADCORP\JORGE –> ADCORP\GRP_ServiceDesk –> “Allow:Read/Write lockoutTime”
[AD.2] Examples For: User –> Security Group (Role) –> Security Group (Scoped Task) –> AD ACE
ADCORP\JORGE –> ADCORP\ROLE_ServiceDesk –> ADCORP\TSK_ResetPassword –> “Allow:Reset Password”
ADCORP\JORGE –> ADCORP\ROLE_ServiceDesk –> ADCORP\TSK_UnlockUser –> “Allow:Read/Write lockoutTime”
[AD.3] Examples For: User –> Security Group (Role) –> Security Group (All Scoped Tasks Combined) –> Security Group (Scoped Task) –> AD ACE
ADCORP\JORGE –> ADCORP\ROLE_ServiceDesk –> ADCORP\TSK_ResetPassword_ALL –> ADCORP\TSK_ResetPassword_EMEA –> “Allow:Reset Password”
ADCORP\JORGE –> ADCORP\ROLE_ServiceDesk –> ADCORP\TSK_ResetPassword_ALL –> ADCORP\TSK_ResetPassword_APAC –> “Allow:Reset Password”
ADCORP\JORGE –> ADCORP\ROLE_ServiceDesk –> ADCORP\TSK_UnlockUser_ALL –> ADCORP\TSK_UnlockUser_EMEA –> “Allow:Read/Write lockoutTime”
ADCORP\JORGE –> ADCORP\ROLE_ServiceDesk –> ADCORP\TSK_UnlockUser_ALL –> ADCORP\TSK_UnlockUser_APAC –> “Allow:Read/Write lockoutTime”
As you can see, with model  and , finding out who has permissions where, depends on the group structure. Personally I really like the “ROLE—>TASK—>PERMISSION” model
</COMMENT BY JORGE>
Here’s a simple example of how you could document Helpdesk’s permissions in AD:
Table 1: List Of Configured Permissions In AD (Example)
To verify that the permissions in Active Directory are reflecting the need of your organization, you have to go through every OU in your Active Directory where permissions have been modified. It’s usually a quite daunting task to click your way through the directory tree to get control over the permissions. For every OU or any object for that matter there are at least 4 clicks to reach the Advanced Security Settings tab, which is often the required view, and if you got a large OU structure that could take a while.
THE SOLUTION – THE ACL SCANNER
When the script is started you will see the following GUI, showing all defaults settings
Figure 1: The AD ACL Scanner Tool With Default Settings
<COMMENT BY JORGE>
In my personal opinion I would like to start the tool, without the option “View Owner” being checked, without the option “One Level” being checked and with the option “Skip default permissions” being checked. In other words, like shown in the figure below. The reasoning?
I prefer the complete structure beneath the selected OU by default
I do not care about the owner by default
I do not case about the default permissions as those are….default!🙂
I also do not care about inherited permissions as that blows up the report while inheritance is enabled by default on the OUs
Figure 2: The AD ACL Scanner Tool With NEW Default Settings After Changing The Script
Of course can I change the options by just checking/unchecking them, but I would like the script/tool to start with that by default. So, open and edit the script as follows, and save afterwards when done:
Change: $chkBoxOneLevel.Checked = $True TO $chkBoxOneLevel.Checked = $False
Change: $chkBoxOneLevel.CheckState = 1 TO $chkBoxOneLevel.CheckState = 0
Change: $chkBoxGetOwner.Checked = $True TO $chkBoxGetOwner.Checked = $False
Change: $chkBoxGetOwner.CheckState = 1 TO $chkBoxGetOwner.CheckState = 0
After: $chkBoxDefaultPerm.Text = "Skip Default Permissions" ADD $chkBoxDefaultPerm.Checked = $True AND ADD $chkBoxDefaultPerm.CheckState = 1
</COMMENT BY JORGE>
To simplify the work of creating and documenting the delegation model in Active Directory I (Robin Granberg) have written a tool in PowerShell with a GUI. This tool creates reports of the access control list for all of your Active Directory objects. With these reports you can see what/where and when permissions have been set the last time.
To run the script you need at least PowerShell 2.0 and Windows 7/Windows Server 2008, (Windows Server 2003 with Limited functionality).
To enable unsigned scripting: Open a PowerShell Command Prompt Windows and Type: Set-ExecutionPolicy Unrestricted
If you are not local admin and cannot set it on your machine you can set it for your profile: Open a PowerShell Command Prompt Windows and Type: Set-ExecutionPolicy Unrestricted -Scope CurrentUser
You do not need Powershell Module for Active Directory.
To create a report for an OU:
- Click Connect and the tool will connect to your domain;
- The Domain Node will be populated in the large tree view box below and you can click your way to the OU;
- When the OU is selected click Run Scan and you will get a HTML report of the permissions.
<COMMENT BY JORGE>
Figure 3: The AD ACL Scanner Tool With The OU Selected For Which I Want A Report
</COMMENT BY JORGE>
This is an example of a report:
Figure 4: The AD ACL Scanner Tool Report For The Selected OU
By default you will only get the selected OU, but if you like to list all sub OU’s you can clear the One Level check box. Be aware that it can take a long time to though a large OU structure.
To get the date when the permissions where modified check the Replication Metadata check box. This will add a column to the report with the latest change of the permissions on each object in the report.
This is an example of a report with the date when the access control list was modified.
Figure 5: The AD ACL Scanner Tool Report For The Selected OU, But Now Also Showing The Last Time The ACL Was Updated
To browse all objects, click All Objects in the Browse Options box. This is necessary when you would like to get the permissions on another object like a user for example. Then you also have to select All Objects in the Report Objects box too.
If you like to create a report of the whole domain I strongly suggest you select CSV file in the Output Options since it will take a long time to go through all OUs and create a HTML table for it. If you select CSV file it will be much faster and you can convert it to a HTML report afterwards in the Additional Options. You can even use it for comparison.
THE POWER OF THE ACL SCANNER
The cool thing with AD ACL Scanner is that you can compare the current state with a previous result. If you select to create a CSV file of the report you can use that to compare the current state with this file and you will get a report of what is missing or what is added. This is an example of a comparison report:
Figure 6: The AD ACL Scanner Tool Compare Report To See What Changed Since The Last Time
The “node not in file” state most likely means that I was performing a compare with a previous CSV file that was generated when the option “Skip Default Permissions” was selected. In this case I only added one new ACE.
Another nice feature is the filtering feature:
- You can filter on Allow or Deny permissions;
- You can filter on object types, like user or computer;
- You can filter on Trustee, this is a free text field where you can type any kind of name you are looking for. For example: ADCORP\TK_R1_SvcDeskResetUserPassword_EMPL.
Here’s an example of a report with filtering:
Figure 7: The AD ACL Scanner Tool Report When Using Filtering
Go ahead and download AD ACL Scanner script from Codeplex: https://adaclscan.codeplex.com/
Go ahead and explore permissions in AD!
I encourage you to get to know your permissions in AD and starts to document it.
- A tool completely written in PowerShell.
- A tool with GUI used to create reports of access control lists in Active Directory .
- View HTML reports of ACLs and save it to disk;
- Export ACLs on Active Directory objects in a CSV format;
- Connect and browse you default domain, schema , configuration or a naming context defined by distinguishedname;
- Browse naming context by clicking you way around, either by OU’s or all types of objects;
- Report only explicitly assigned ACLs;
- Report on OUs , OUs and Container Objects or all object types;
- Filter ACLs for a specific access type.. Where does “Deny” permission exists?;
- Filter ACLs for a specific identity. Where does "Domain\Client Admins" have explicit access?;
- Filter ACLs for permission on specific object. Where are permissions set on computer objects?;
- Skip default permissions (defaultSecurityDescriptor) in report. Makes it easier to find custom permissions;
- Report owner of object;
- Compare previous results with the current configuration and see the differences by color scheme (Green=matching permissions, Yellow= new permissions, Red= missing permissions);
- Report when permissions were modified;
- Can use AD replication metadata when comparing;
- Can convert a previously created CSV file to a HTML report.
- Powershell 2.0 or above
</QUOTE SOURCE=”Take Control Over AD Permissions And The AD ACL Scanner Tool”>
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########