Some of the features shown here are only available in NetTools 1.31.9 and above.
NetTools includes the Permissions Browser option, which also allows you to see the effective rights for a nominated trustee, it also provides the ability to change the trustees rights to assess the impact this will have trustees access to objects in the AD. In this post we will look at how to use this option to view the effective rights of a user.
To configure Permissions Browser to show the Effective Rights we need complete the following steps.
Select the Permissions Browser
Open NetTools and select the Permissions Browser option under Access Control in the left hand pane.
Display AD Permissions
Select the Connection Profile or server to connect to. See Connection Profiles
Select the Context you wish to view
Click Refresh
You can now navigate through the AD to the object that you want to check the effective permissions
Select Trustee
To display the effective rights for a trustee, we need to select the trustee using the Trustee Information dialog, click on the Trustee button
Press the Select button to select the Trustee, and enter the name of the trustee. This can be a user, computer, or group. The Current User button can be used to retrieve the current group list from the currently authenticated user, if UAC is enabled, any disabled groups will be excluded from the token. Then click Select.
The Trustee Information dialog will be updated with the SIDs that user in a member of, this is the user's access token, this information will be used to determine the effective rights of the user.
View Effective Permissions
The ACL list is now filtered showing only the permissions that will be applied to the trustee when they try to access the AD object. In this example for the selected user has a number of permissions that are granted by the their access token. The lower section displays the effective permissions of the user on the selected object.
See the AD Permissions Browser page for information on the icons and there meanings.
See the AD Effective Permissions page for more information on the details and available options.
Alternative Method
The alternative and simpler method is to use the Use With context menu from the user search option. Either select the Search or use the quick search option, search for the user you want to check the effective permissions for.
The right click on the corresponding user and select Effective Permissions under the Use With context menu. This will switch to the AD Permissions Browser option and set the Trustee. You can now browse the directory and view the effective permissions as you browser.
Modelling Effective Rights
One of the features of the Trustee Information dialog is that we can model changes to the trustees effective rights. By using the add and remove buttons we can add or remove groups included in the trustee's access token, which is used to display the effective rights, this allows you to model how group changes will impact Trustee's access.
In this example above, the access token of the Trustee has been modified to include the Domain Admins group. Below is the Permissions Browser is showing the effective permissions based on the updated access token for the Trustee. Now two permissions are shown based on the updated access token.
You can now browser the AD to see what rights that the Trustee has on the objects in AD. To turn off the Effective Rights view, click on the Clear button in the Trustee Information dialog.