The permissions for a object in AD are stored in the ntSecurityDescriptor attribute, these permissions are used to control who can access the object. When troubleshooting access issues, it is sometimes useful to be able to compare the permissions that are assigned to two different objects. With v1.30.11 above there is now simple method to compare the permissions between two different objects.
The context menu in NetTools now provides two additional menu items to allow permissions of objects to be compared:
- Select left SD to compare
- Compare to 'left object' SD
To compare the permissions or security descriptors (SD), select the first object and select the Select left SD to compare option, this will set the object as the left items. Then find the second object you want to compare against, and then select the Compare to 'left name' SD option and the compare Permissions dialog box will be displayed.
Compare two user objects
The easiest method to compare two user objects is use the quick search option to find the first user, enter the user name in the quick search box and press enter, in this case we are searching for greynolds.
From the Search results, right click on the greynolds object and select the Select left SD to compare
If we search for the second user object, and then right click on the second user and select the Compare to 'Gary Reynolds' SD menu item and the Compare Permissions dialog will be displayed.
The comparison between the two objects will be displayed.
Click on the column header with a '*' to select options to filter the displayed ACEs.
Compare Other Objects
To compare objects other than users, use one of NetTools options to find the object you are looking for, i.e. LDAP Browser, LDAP Search, ACL Browser, GPO Explorer, etc. all these options have the same context menus to allow to you to compare permissions against any other object.
See Comparing AD Permissions for more information