NetTools includes the ACL Browser option, which also allows you to see the effective rights for a nominated trustee, it also provides the ability to change the trustees rights to assess the impact this will have trustees access to objects in the AD. In this post we will look at how to use this option to view the effective rights of a user.
To configure ACL Browser to show the Effective Rights we need complete the following steps.
Select the ACL Browser
Open NetTools and select the ACL Browser option under Access Control in the left hand pane.
Display AD Permissions
Select the Connection Profile or server to connect to. See Connection Profiles
Select the Context you wish to view
You can now navigate through the AD to see the permissions set on the objects
To display the effective rights for a trustee, we need to select the trustee using the Trustee Information dialog, click on the Trustee button
Press the Select button to select the Trustee, enter the name of the trustee, this can be a user, computer, or group. The click Select.
The Trustee Information dialog will be updated with the SIDs that user in a member of, this is the user's access token, this information will be used to determine the effective rights of the user.
View Effective Rights
The ACL list is now filtered showing only the permissions that will be applied to the trustee when they try to access the AD object. In this example for the selected user only one effective permission is shown on the Computers folder and this will be applied to the user when they access the object.
See the ACL Browser page for information on the icons and there meanings.
Modelling Effective Rights
One of the features of the Trustee Information dialog is that we can model changes to the trustees effective rights. By using the add and remove buttons we can add or remove groups included in the trustee's access token, which is used to display the effective rights, this allows you to model how group changes will impact Trustee's access.
In this example above, the access token of the Trustee has been modified to include the Domain Admins group. Below is the ACL Browser is showing the effective permissions based on the updated access token for the Trustee. Now two permissions are shown based on the updated access token.
You can now browser the AD to see what rights that the Trustee has on the objects in AD. To turn off the Effective Rights view, click on the Clear button in the Trustee Information dialog.