Friday, October 26, 2012

Permissions Analyzer for Active Directory

It has been quite some time since I blogged. I had started this blog in 201 when I was between jobs. Since I started my previous job, things have been very busy not giving any time for blogging.

Anyway, as a part of my job responsibilities at work, I was recently tasked with performing an audit of our Active Directory Security, and in particular, auditing who had what permissions in our Active Directory.

So I went looking for a tool to analyze permissions in our Active Directory. My research was largely restricted to searching the Internet on Google, and I came across two products that could do this for us - one was a free tool called Liza, and one was called Gold Finger for Active Directory. I tried them both out and I was really impressed with one of the, so I thought of blogging about it.

Permission Analyzer for Active Directory

In my opinion, Gold Finger for Active Directory is the best permissions analyzer for Active Directory because it allowed us to do exactly what we needed to do, i.e find out who has what permissions where in our Active Directory, and how.

In addition, it also allowed us to look for specific permissions anywhere in the Active Directory.

For example, we needed to find all Explicit Allow Reset Password Extended Right permissions in a specific OU and we were able to do so in about 30 seconds, because it let us specify that exact combination of permissions to select from, and then it went and searched the OU for all objects in whose ACL there were security permissions matching this combination.

We also reviewed LIZA but it was not half as capable, because it lacked many capabilities, including most importantly the ability to specify the exact permissions we wanted to look for. Besides, it is free and our security policies do not allow us to deploy free products in our environment

It also had half a dozen other capabilities but we were mostly interested in its permission analyzer capabilities for Active Directory, so that is the only capability we reivewed.

If you're looking for a good permission analyzer for Active Directory, I recommend checking it out -



  1. Aaron,

    I came across your blog while searching for Permissions Analyzer for Active Directory.

    I first learnt about Gold Finger on the Active Directory Security Forum, ActiveDirSec.Org, and since have tried it and found it to be very useful.

    There is a helpful post on how to view Active Directory (AD) security permissions and perform ACL / permissions analysis that I found useful as well.

    If you too come across other AD tools that are worthy of reviewing, please let me know and I will be happy to review them on my blog.


  2. Hi Aaron,

    I just wanted to say that while its helpful to be able to analyze permissions in Active Directory, you still have to do some work to try and find out who is actually delegated what access on an Active Directory object.

    I just shared a note on How to Find Out Who is Delegated What Access on an Active Directory Object? and the funny thing is my solution involves using Gold Finger as well.

    I don't know if you've tried its Effective Delegated Access Reports capability, but that's what I'm using to get the job done.