Active Directory Permissions Search

A glimpse of the new Power Search feature

The new “Power search” feature enables you to perform granular and incisive search and analysis of permissions in your Active Directory. You can perform granular search on the AD objects permissions with efficient query definitions. The scope of the search can also be specified within the Active Directory Options to search default permissions and selectively assigned permissions gives the ability to search extensively.

Let’s take a look at the systematic approach of using the Power search wizard

Fig #1: Power Search tool bar

power search tool bar

This is the Power search tool bar and choose the ‘Permissions’ option

Step #1: Select the Domain

domain selection

Step #2: Select the Access Control Entry

permission selection

Step #3: Specify the scope

scope selection

scope selection

Step #4: Select the Accounts

select the accounts

select the accounts

Step #5: Selection Summary

This wizard shows a summary of the search settings based on your selected options during the systematic approach.

summary

Step #6: Search results

search result

The Power search manager

Using this wizard you can create, edit, delete, view and run any Power Search task

Fig #3: Power Search Manager Wizard

power search manager wizard

power search manager

Fig #4: Power search settings

power search settings

Understand the Power search feature better, with few sample scenarios

Scenario #1: Members having ‘Reset Password’ ACE’s

power search

Scenario #2: Members who can delete Organizational Units

delete ou object

delete ou criteria

Scenario #3: Members who can delete or create users & groups

create delete group objects

user objects

create delete tasks

Scenario #4: Members who have Full control ACE’s

general acl

full control ace

Fig 2: Report settings of ’Full control’ ACE

ace summary

Scenario #5: Members who are authorized to create or delete tasks in the AD environment

create delete tasks ace

create delete tasks permission

Scenario #6: Members who can alter AD objects

write ace under special acl

modify permission

Scenario #7: Members who have extended rights

extended rights

search criteria extended rights

Scenario #8: Search those ACE’s that have impact on your AD security & integrity

delete acl

modify ace

search criteria permission affecting ad

The most interesting news is that, there is one more fascinating feature about the Delegation control wizard, which now conducts an implicit search for the explicitly assigned ACE’s when a particular delegated task is chosen. In other words, you may search for the permissions that are assigned by default while delegating rights to the OU accounts and containers.

Scenario #9: Members who have ‘Reset Password’ ACE as the delegated task

reset password

delegated reset password ace

Fig3: Report settings of ‘Reset password’ ACE

reset password delegated

Scenario #10: Members who have explicit Allow/Deny non- inherited ACE’s on OU objects

delete acl

explicit allow permission

Fig:4: Report settings of ACE type ‘Explicit Allow’

explicit allow summary

Explicit Deny

explicit deny

explicit deny ace

Fig 5: Report settings of ACE type ‘Explicit deny’

explicit deny summary

Fig #6: Delegation Control Wizard

delegation control wizard

A quick recap of the “Power Search” feature

bullet Search for unauthorized access
bullet Find out the access permissions of members in the Active Directory
bullet Know their authorized actions
bullet Quickly search members who can read objects in the confidential OUs and containers
bullet Track certain unauthorized users and put a stop to security and integrity issues caused by them
bullet Track those unnoticed deleted/disabled accounts, dummy SID’s, outdated users and their permissions

If you are interested in exploring these new features, please follow the link below to download a 30-day trial version of ARK for Active Directory software.

http://www.vyapin.com/products/active-directory-audit/active-directory-reports