How To Compare the Permissions of Two AD Objects

The permissions for a object in AD are stored in the ntSecurityDescriptor attribute, these permissions are used to control who can access the object.  When troubleshooting access issues, it is sometimes useful to be able to compare the permissions that are assigned to two different objects.  With v1.30.11 above there is now simple method to compare the permissions between two different objects.

The context menu in NetTools now provides two additional menu items to allow permissions of objects to be compared:

  • Select left SD to compare
  • Compare to 'left object' SD
Compare Menu Items

To compare the permissions or security descriptors (SD), select the first object and select the Select left SD to compare option, this will set the object as the left items.  Then find the second object you want to compare against, and then select the Compare to 'left name' SD option and the compare Permissions dialog box will be displayed.

Compare Permissions

Compare two user objects

The easiest method to compare two user objects is use the quick search option to find the first user, enter the user name in the quick search box and press enter, in this case we are searching for greynolds.

Quick Search

From the Search results, right click on the greynolds object and select the Select left SD to compare

Compare Left

If we search for the second user object, and then right click on the second user and select the Compare to 'Gary Reynolds' SD menu item and the Compare Permissions dialog will be displayed.

Compare SD Item

The comparison between the two objects will be displayed.

Compare Permissions Result

Click on the column header with a '*' to select options to filter the displayed ACEs.

Compare Permissions Options

Compare Other Objects

To compare objects other than users, use one of NetTools options to find the object you are looking for, i.e. LDAP Browser, LDAP Search, ACL Browser, GPO Explorer, etc.  all these options have the same context menus to allow to you to compare permissions against any other object.

See Comparing AD Permissions for more information