SmartProfiler’s AD Permissions Analyzer and Fixer is a nice feature that was added as part of SmartProfiler Version 6.4. An Active Directory assessment requires that your Active Directory permissions are checked completely to ensure there are no abusable permissions defined in the Active Directory. The AD Permissions Analyzer & Fixer can be used to collect permissions defined on Organizational Units and Tier 0 Objects. To open Permissions Analyzer & Fixer, please click on the “AD Perm Analyzer” button under the Active Directory pane in the left pane, which, in turn, will show below screen:
To start collecting permissions from an Active Directory environment, click on “Collect Permissions” button, which, in turn, will show below window:
Please note you can collect full permissions dump and only collect abusable permissions in an Active Directory domain. To start collecting the permissions, select an AD Domain from the “Select AD Domain” dropdown and then select below options:
It is important to note that the console can only show the abusable permissions. The full permissions dump cannot be shown in the console.
To start collecting permissions click on “Start Collection” button. The process will start collecting the permissions in the selected AD domain and then result will be shown in the log file. The process might take some time depending on the number of Organizational units in the environment. Once the permissions have been collected for both Organizational units and Tier 0 Objects the console will refresh automatically and load the permissions.
The AD Perm Analyzer is capable of analyzing Organizational Units and Tier-0 Objects permissions. In case permissions doesn’t load automatically, please load permissions manually, by selecting the AD Domain and the permissions type to load as shown below:
If you need to switch to Tier 0 Objects Permissions, please select “Tier 0 Objects Permissions” from the dropdown menu and then click on the “Load Permissions” button. The permissions can be exported to an excel file by clicking on the excel icon.
In the Permissions Console, you can see in the left side the console displays all permissions assigned to each organizational unit/Tier-0 Objects and in the right side you can see all available Rights found when permissions were collected, and non-admins assigned to each right.
The above screen displays permissions collected for organizational units in “DynamicPacks.net” AD domain. The center grid displays all permissions assigned to the principals and right pane provides you the ability to filter the permissions. For example, we can see “WriteProperty” permission is assigned to User1104 and Everyone account. The column also displays the list of organizational units which are affected by the WriteProperty permission.
Similarly, you can load permissions for Tier-0 Objects for selected AD Domain and then analyze the permissions assigned to all Tier-0 Objects.
You can learn more about the Active Directory permissions here.
Try SmartProfiler, a unified tool to help with security evaluation across many Microsoft technologies.