Active Directory Security Permissions (ACL) Reports
Active Directory security permissions play a vital role in protecting all content stored in the Active Directory, such as user accounts and groups. The need to have insight into their state and security is thus critical to security, and Security Permissions Reports provide organizations this vital insight.
ACTIVE DIRECTORY SECURITY PERMISSIONS (ACL) REPORTS
The following is a list of the Top-20 Active Directory Security Permissions Reports that are vital for security and are the starting point in determining who is delegated what access in Active Directory –
I. Security State Reports –
The following security permissions reports are helpful in determining who really has what access
in Active Directory. It is very important to note that just because a user/security group has some
permissions granted in an Active Directory ACL it does NOT mean that they really have that
access. They MAY OR MAY NOT have that access as it could very well be negated by the
presence of others permissions in the ACL of the same object, or by numerous other factors.
- All Active Directory objects on which a user or group has any permissions
- All Active Directory objects on which a user or group has allow permissions
- All Active Directory objects on which a user or group has deny permissions
- All Active Directory objects on which a user or group has explicit permissions
- All Active Directory objects on which a user or group has inherited permissions
- All Active Directory objects on which a user or group has list child permissions
- All Active Directory objects on which a user or group has list object permissions
- All Active Directory objects on which a user or group has read property permissions
- All Active Directory objects on which a user or group has write property permissions
- All Active Directory objects on which a user or group has create child permissions
- All Active Directory objects on which a user or group has standard delete permissions
- All Active Directory objects on which a user or group has delete child permissions
- All Active Directory objects on which a user or group has delete tree permissions
- All Active Directory objects on which a user or group has read permissions permissions
- All Active Directory objects on which a user or group has modify permissions permissions
- All Active Directory objects on which a user or group has modify owner permissions
- All Active Directory objects on which a user or group has extended right permissions
- All Active Directory objects on which a user or group has validated write permissions
II. Delegated Administrative Access Reports –
The following security permissions reports provide critical insight into who all can modify* the
state of these AD ACLs, i.e. who all have sufficient privilege to modify the state of these ACLs –
| * SECURITY NOTE – It is very important to understand that where all a user/group has specific permissions in Active Directory is NOT the same as who is delegated what administrative access in Active Directory. In order to correctly determine who is delegated what access, one needs to determine resultant access in Active Directory. Also, depending on the specific report, it may not be sufficient to determine resultant access on just one object. |
|
- Who can change security permissions in Active Directory, and on which objects?
- Who can change object ownership in Active Directory, and of which objects?
These delegated administrative access reports are absolutely mission-critical to security because
they reveal exactly who has the ability to change the security state of these security groups.
How to Generate these Group Reports:
Organizations generally have two predominant reporting options to fulfill their AD reporting needs,
and most prefer to use reporting tools, especially to fulfill their delegated access reporting needs.
The Microsoft-endorsed Gold Finger Active Directory reporting tool can also generate these reports.
| 
