How To Find Active Directory Effective Rights

NetTools includes the ACL Browser option, which also allows you to see the effective rights for a nominated trustee, it also provides the ability to change the trustees rights to assess the impact this will have trustees access to objects in the AD.   In this post we will look at how to use this option to view the effective rights of a user.

ACL Browser

To configure ACL Browser to show the Effective Rights we need complete the following steps.

How To Display Active Directory Effective Permissions

    Select the ACL Browser

    Open NetTools and select the ACL Browser option under Access Control in the left hand pane.

    Display AD Permissions

    Select the Connection Profile or server to connect to.  See Connection Profiles

    Select the Context you wish to view

    Click Refresh

    You can now navigate through the AD to see the permissions set on the objects

    Select Trustee

    To display the effective rights for a trustee, we need to select the trustee using the Trustee Information dialog, click on the Trustee button

    Trustee Information

    Press the Select button to select the Trustee, enter the name of the trustee, this can be a user, computer, or group.  The click Select.

    Select Trustee

    The Trustee Information dialog will be updated with the SIDs that user in a member of, this is the user's access token, this information will be used to determine the effective rights of the user.

    Trustee Information

    View Effective Rights

    The ACL list is now filtered showing only the permissions that will be applied to the trustee when they try to access the AD object.  In this example for the selected user only one effective permission is shown on the Computers folder and this will be applied to the user when they access the object.

    See the ACL Browser page for information on the icons and there meanings.

    ACL Browser - Effective Permissions

    Modelling Effective Rights

    One of the features of the Trustee Information dialog is that we can model changes to the trustees effective rights.  By using the add and remove buttons we can add or remove groups included in the trustee's access token, which is used to display the effective rights, this allows you to model how group  changes will impact Trustee's access.

    Trustee Information - Added Domain Admins

    In this example above, the access token of the Trustee has been modified to include the Domain Admins group.  Below is the ACL Browser is showing the effective permissions based on the updated access token for the Trustee.  Now two permissions are shown based on the updated access token.

    ACL Browser - Effective Rights

    You can now browser the AD to see what rights that the Trustee has on the objects in AD.  To turn off the Effective Rights view, click on the Clear button in the Trustee Information dialog.