ACL Browser

ACL Browser provides a quick and simple method to browse the permissions that are assigned to objects in the directory.  The ACL Browser is split into three sections:

Browser - This section provides the method to navigate the directory, clicking on an items in this pane will display the assigned permissions to that item. The Display OU and Containers options limits the displayed items to just these items, by deselecting this option the browser pane will display all the objects in the OU and containers.

ACE List - This pane lists the ACEs that have been assigned to the selected items, by default the Object Security tab is displayed showing the Discretionary Access Control List (DACL), however, depending on the item selected, the Mailbox, and Schema permissions will also be displayed.  For SACL to be displayed the Include SACL option must be selected, for these to be displayed Domain Admin rights are required.  If the Display SIDs option is selected an extra column is displayed with the SID of the trustee.

ACE - This pane displays the Access Control Entry based on the item selected in the ACE List pane.  The list of permissions is dynamic based on the item selected, but the standard full/read/write/create/delete permissions are displayed for all items.  When the Show ACL\ACE flags options is selected the ACE view will display the raw ACL and ACE flags associated to the selected item in the ACE List pane, rather than the graphical view. When an Object Specific ACE is selected the name of the object type which the permissions are associated to is displayed above the ACE pane.  In the example below the object type is User.

Clear Local Cache - ACL Browser uses a local cache for extended permission GUIDs and SIDs.  As the results are retrieved from the server they are cached to improve the performance when viewing permissions.  When changing to a new location and Refresh pressed, if the forest\domain is the same then the cache is maintained, if the forest\domain is changed, the cache is purged, the cache will also be cleared if the Clear Local Cache option is selected.  This cache is shared with the GPO Explorer security tab.

Trustee Mode - ACL Browser has a Trustee mode, which allows a trustee (user\group\computer etc.) to be selected and then only the ACE that apply to the trustee are displayed.  The icons in the ACE List pane will have a green dot to indicate that the corresponding ACE applies to the selected trustee.  These are the effective rights for the selected trustee.

To Select the Trustee click on the Trustee button and the Trustee Information dialog will be displayed, this dialog shows the select trustee and the constructed access token is displayed.  To select the trustee click on the Select button.  

The Select Trustee dialog, allows you to specify the trustee and the connection method for the trustee, is used to construct the trustee's Access Token. Once the Trustee is selected, the Add and Remove buttons can be used to update the SIDs that are included in the constructed access token. This allow you to add groups or security principals to the token to see what impact this has on the trustee access rights.

ACL Browser
ACL Browser - Flags

Permissions Caching


NetTools uses local caching to improve the performance when viewing the permissions in ACL Browser and GPO Explorer.  The cache is used to cache Control Assess Rights GUIDs and resolved SIDs, this makes viewing the permissions of subsequent objects significantly faster.  ACL Browsers and GPO Explorer use the same cache to improve performance across these options.  If ACL Browser and GPO Explorer interrogate the same forest then both options will benefit from the caching.  However, when they are pointing at different forests, the cache is cleared and caching is started again when a different context is detected, resulting in an initial performance hit as the cache is reseeded.