How To Find Active Directory Effective Permissions

Some of the features shown here are only available in NetTools 1.31.9 and above.

NetTools includes the Permissions Browser option, which also allows you to see the effective rights for a nominated trustee, it also provides the ability to change the trustees rights to assess the impact this will have trustees access to objects in the AD.   In this post we will look at how to use this option to view the effective rights of a user.

Permissions Browser

To configure Permissions Browser to show the Effective Rights we need complete the following steps.

How To Display Active Directory Effective Permissions

    Select the Permissions Browser

    Open NetTools and select the Permissions Browser option under Access Control in the left hand pane.

    Display AD Permissions

    Select the Connection Profile or server to connect to.  See Connection Profiles

    Select the Context you wish to view

    Click Refresh

    You can now navigate through the AD to the object that you want to check the effective permissions

    Select Trustee

    To display the effective rights for a trustee, we need to select the trustee using the Trustee Information dialog, click on the Trustee button

    Trustee Information

    Press the Select button to select the Trustee, and enter the name of the trustee. This can be a user, computer, or group. The Current User button can be used to retrieve the current group list from the currently authenticated user, if UAC is enabled, any disabled groups will be excluded from the token.  Then click Select.

    Select Trustee

    The Trustee Information dialog will be updated with the SIDs that user in a member of, this is the user's access token, this information will be used to determine the effective rights of the user.

    Trustee Information

    View Effective Permissions

    The ACL list is now filtered showing only the permissions that will be applied to the trustee when they try to access the AD object.  In this example for the selected user has a number of permissions that are granted by the their access token.  The lower section displays the effective permissions of the user on the selected object.

    See the AD Permissions Browser page for information on the icons and there meanings.

    See the AD Effective Permissions page for more information on the details and available options.

    Trustee Mode - Effective Permissions

    Alternative Method

    The alternative and simpler method is to use the Use With context menu from the user search option.  Either select the Search or use the quick search option, search for the user you want to check the effective permissions for.

    Use With - Effective Permissions

    The right click on the corresponding user and select Effective Permissions under the Use With context menu.  This will switch to the AD Permissions Browser option and set the Trustee.  You can now browse the directory and view the effective permissions as you browser.

    Modelling Effective Rights

    One of the features of the Trustee Information dialog is that we can model changes to the trustees effective rights.  By using the add and remove buttons we can add or remove groups included in the trustee's access token, which is used to display the effective rights, this allows you to model how group changes will impact Trustee's access.

    Trustee Information - Added Domain Admins

    In this example above, the access token of the Trustee has been modified to include the Domain Admins group.  Below is the Permissions Browser is showing the effective permissions based on the updated access token for the Trustee.  Now two permissions are shown based on the updated access token.

    AD Permissions Browser - Effective Rights

    You can now browser the AD to see what rights that the Trustee has on the objects in AD.  To turn off the Effective Rights view, click on the Clear button in the Trustee Information dialog.