Option 1 – Manually Report Delegated Access
(Approximate time needed per object – 30 minutes)
- Launch Active Directory Users and Computers
(To do so, click on Start, then click on Run, then type "dsa.msc" in the box and finally press Enter)
- Click on the View option in the Menu bar and select the Advanced Features option.
- Navigate to the specific user account or security group on which you wish to generate your report.
- Right-click on the object and select Properties.
- Navigate to the Security Tab by clicking on it.
- Click the Advanced button to open the Advanced Security Settings pane.
- Take every entry in the Permission entries field into account identical to how an actual access check is performed in Active Directory to determine who is delegated which tasks on this object.
The precise details are complicated, but following are some helpful pointers to take into account –
- A recommended starting point is to figure out if there are any Deny permissions specified.
- Then, look for any Allow permission entries that seem to conflict with Deny permissions.
- Meticulously intersect every set of effective conflicting permissions, keeping in mind that Explicit permissions override Inherited ones.
- Expand every group membership specified in every relevant ACE, as users could belong to multiple groups with conflicting permissions.
- Dynamically evaluate the membership of every well-known SID encountered in ACEs.
- Check Schema to determine if authorized objects creations are in fact permissible.
- In this manner, include every relevant detail to precisely simulate a real access check.
Upon the successful completion of this step, you will have successfully reported your delegation.
- Click the Okay button to return to the object's Security tab of the Properties pane.
- Click the Okay button to return to Active Directory Users and Computers main application panel.
- Close the Active Directory Users and Computers main application panel.
|
|
|
|
|
Option 2 – Use an Automated Solution
(Approximate time needed per object – 30 seconds)
- Launch Gold Finger.
(To do so, click on Start, then click on Programs, then on Paramount Defenses, then on Gold Finger)
- Select the administrative tasks whose delegations you wish to include in your delegation report.
- Specify the scope of your assessment by entering the distinguished name of the target AD object/tree.
- Press Enter or click the Gold Finger button.
- Results pane will list the identities of all individuals who can perform this task in the specified scope.
- Click on Print to print your delegation report.
DEMO – To view a brief demo, please click here
|
|
