Viewing Active Directory Object Properties With Restricted Privileges.


 I was always curious to know what happens at the background, when you assign user permission to Active directory objects, what privileges require to view directory objects . How are these permissions understood by operating system and provide users the required information.

OR

A normal user with less privileges want to view additional Active directory objects / more active directory objects than they see by default ?

Active Directory is a collection of objects , applications use object to store data into directory and a schema should be defined for the object which stores data. Microsoft has implemented robust security mechanism by preventing unauthorized access to data with the help of different subsystems like LSASS (Local Security Authority Sub System ) ,  SAM (Security Account Manager ) , Active Directory , Authentication Packages, Credential Providers , Netlogon etc

 To answer the above question , we should understand the Windows Security Model and the important component is Token / Access token.

 A structural view of a Token is shown below

During the initial Logon, LSASS creates a token with the above information, and this access token gets attached to every process and threads within it. There is another major component apart from Token which determines which users to perform what action on objects based on their privileges and it is known as Security Descriptor [SD].

Security Descriptor consists of different data structures which determines different access levels a user can be granted or a process can be granted. SD consists of ACL (Access Control List )  and ACE ( Access Control Entry ). SD has 2 types of ACL , DACL ( Discretionary ACL) and SACL ( System ACL ). ACE are part of ACL’s , these ACE’s are data structures which provides access levels. Below diagram should give you clear understanding.

The 8 different Access Control Entries under DACL are

A)      Access allowed

B)      Access denied

C)      Allowed callback

D)      Denied Callback

E)      Allowed object

F)      Denied object

G)     Allowed object callback

H)      Denied object callback

I will map this information with the above asked question. Active directory schema can provide a Security descriptor and each object class that is  defined in Schema has defaultsecuritydescriptor attribute.

If process doesn’t provide a DACL for new Active Directory object then the operating system uses the DACL in the default security descriptor that is specified by schema.

So If an normal user want to view additional properties of an object, you have 2 methods

A)      You can configure the DACL on the parent of the Object that gets applied to all its children and  eliminates the need of specifying it on the schema.

B)      Another way to provide the user to view more properties is to create Delegation on the OU by Right click OU à Delegate Control à Next à Select Users à Create Custom task to delegate à This folder, existing objects in this folder , and creation of new objects in this folder à Read All Properties à Finish.

 

The above document has exposed the components involved in determining the access of an object and how operating system authenticates the users 

The 8 different Access Control Entries under DACL are

 

A)      Access allowed

B)      Access denied

C)      Allowed callback

D)      Denied Callback

E)      Allowed object

F)      Denied object

G)     Allowed object callback

H)      Denied object callback

 

 

I will map this information with the above asked question. Active directory schema can provide a Security descriptor and each object class that is  defined in Schema has defaultsecuritydescriptor attribute.

If process doesn’t provide a DACL for new Active Directory object then the operating system uses the DACL in the default security descriptor that is specified by schema.

 

So If an normal user want to view additional properties of an object, you have 2 methods

 

A)      You can configure the DACL on the parent of the Object that gets applied to all its children and  eliminates the need of specifying it on the schema.

 

B)      Another way to provide the user to view more properties is to create Delegation on the OU by Right click OU à Delegate Control à Next à Select Users à Create Custom task to delegate à This folder, existing objects in this folder , and creation of new objects in this folder à Read All Properties à Finish.

 

 

The above document has exposed the components involved in determining the access of an object and how operating system authenticates the users

Advertisements

2 thoughts on “Viewing Active Directory Object Properties With Restricted Privileges.

  1. Hi,

    Thank for taking the time to share helpful information regarding Active Directory permissions.

    I thought I’d share something helpful with you and your blog readers. I don’t know if you’ve ever tried to view and analyze an Active Directory ACL, but if you have, then you’ll hopefully agree that its not easy to view AD ACLs using native AD tools, especially when you’re trying to identify all permissions that grant a specific right to someone, such as Create Child.

    I work for Paramount Defenses Inc, a valued Microsoft partner, led by former Microsoft Program Manager for Active Directory Security. We build high-value Active Directory Security Audit Tools. One of our tools, called Gold Finger offers the industry’s most capable Active Directory ACL Analysis capabilities, as it breaks down each individual permission-type in a permission in its own column.

    As a result, trying to find out which permissions grant a specific user Create-Child permissions (including any Full Control ACEs) becomes as easy as touching a button. In fact, you can sort the entire ACL based on any field, including all permission fields, so we make it very easy to analyze Active Directory ACLs.

    Today, we help organizations in 5 continents worldwide, and in fact, even Microsoft IT uses our solution to view and analyze ACLs in Active Directory. I thought I would share this with you in case you too find it useful.

    Kindest Regards,
    Andrew

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s