Today Active Directory Security has become mission-critical to organizational security worldwide and thus mission-critical to Cyber Security worldwide. On this blog, former Microsoft Program Manager for Active Directory Security, and today, CEO of Paramount Defenses, shares valuable technical insights on Active Directory Security.

Gold Finger The Paramount Brief Gold Finger Mini World Peace

Tuesday, October 16, 2018

Mimikatz DCSync Detection


I trust this finds you doing well. I know so many of you are waiting for me to answer the question - What's the World's Most Important Active Directory Security Capability? but before I did so, I just wanted to address something very simple and vital.

Mimikatz DCSync Detection ?! ;-)

If you're into Cyber Security, unless you live on another planet, by now you know that at the very foundation of cyber security worldwide lies Microsoft Active Directory, you know that little thing within which lie not just everyone's accounts and passwords, or for that matter the computer accounts of every single domain-joined machine, or for that matter every single domain security group that is used to protect the entirety of an organization's IT assets, but also the proverbial "Keys to the Kingdom!" etc. etc.

By the way, this isn't some secret - this is CYBER SECURITY 101 that millions of IT personnel, IT managers, CISOs and just about everyone in IT ought to know by know, considering that Active Directory has been around for almost two decades now!

Alright, fast forward...

A few years ago, a remarkably intelligent and talented Benjamin Delpy introduced a new feature in his hacking tool Mimikatz, and that feature was called Mimikatz DCSync. In essence, if you can run Mimikatz DCSync against an Active Directory, you can instantly obtain access to the credentials of literally everyone who has a domain account in that domain - we're talking the accounts of literally everyone, from Domain Admins to the CISO and from the Enterprise Admin to the CEO, etc. etc.

Now, technically, DCSync leverages the ability of a security principal to be able to request and replicate Active Directory content (including secrets i.e. password hashes) out of Active Directory. It turns out anyone who has sufficient effective permissions to be able to replicate secrets out of Active Directory can run Mimikatz DCSync, and within minutes be proverbial God!

So, what happens? In time, Mimikatz DCSync finds global fame and glory, it becomes a must have tool in the arsenal of these so called kiddish Red Teams and Blue Teams, and in addition today there's no dearth of cyber security experts who will want to blog about Mimikatz DCSync sharing with the world, its usage, how to exploit it etc. etc. and in particular how to detect it!

Here are a few random blogs a Google search seemed to suggest -
  1. Mimikatz DCSync Usage, Exploitation, and Detection
  2. Mimikatz and DCSync and ExtraSids, Oh My
  3. Modern Active Directory Attack Scenarios and How to Detect Them

Now, please pardon me for (what's that millenial lingo again, yes) LOL ROFL, but seriously, if the best an organization can do is DETECT the use of Mimikatz DCSync, that's HILARIOUS, because that's sort of like, well let me paint you a picture:

A Billion $ Organization or for that matter a Government Agency having to rely on detection of Mimikatz DCSync is akin to ....

... lets assume a SNIPER takes a shot at a target from point blank range, and the best those protecting the target can do is try and detect the bullet in flight milliseconds before it hits its target. Well, I shouldn't have to complete the sentence for you.

Here's the Trillion $ point - if an organization is having to rely on the DETECTION of the use of Mimikatz DCSync, its too late.

From the Domain Admin to the CISO, its time to go home and find another job, because it would already have been too late. You're done. Once a malicious perpetrator has gained administrative access in even a single Active Directory domain, those who know anything about Active Directory Security will tell you that you've lost the entire Active Directory forest. Oh, and if you think you could easily recover that forest from a trusted forest, you've likely been getting some amateur advice ;-)

Mimikatz DCSync Mitigation

I cannot stress this enough - this is not a risk that can be addressed by detection. It needs to be mitigated and today, every single organization that operates on Microsoft Active Directory can easily mitigate the risk posed by Mimikatz DCSync. I've already spent enough time educating the world about this, so I'm not going to waste one more precious minute on this.

For every org that wants to learn how to do so - How to Lockdown Active Directory to Thwart the Use of Mimikatz DCSync

Incidentally, the astute mind will observe, that whether it be mitigating the risk posed by Mimikatz DCSync or securing access to just about anything and everything in Active Directory, all organizations worldwide (including likely the $800 Billion Microsoft) require is 1 single, fundamental cyber security capability - The Most Important Active Directory Security Capability in the World.

A Request to All Experts Out There

To all cyber security experts and cyber security companies (including Microsoft) out there, I have a request - if you truly know Active Directory Security, lets see you go beyond helping the world learning how to use, exploit and detect Mimikatz DC Sync...

...lets see you teach the world how to actually mitigate this risk, perhaps with an example, for when you get there, you'll likely realize that not a single object in any Active Directory domain worldwide can be adequately secured without possessing this.

Alright that's it, I'm not wasting one more minute of my precious time
on this little distraction of a thing called Mimikatz DCSync.

After all this dry stuff, perhaps I should end on a humorous note - Time to Ignite an Intellectual Spark at Microsoft Ignite 2018 ;-)

Best wishes,

Monday, October 1, 2018

Did Anyone at Microsoft Ignite 2018 Know the Answer To This Question?


Last week, thousands of IT professionals, managers, CISOs and CIOs were in Orlando, attending, well, Microsoft Ignite 2018 !

Image Courtesy Microsoft. Source:

Not surprisingly, the Microsoft Ignite Conference had SOLD OUT!  There were 900+ sessions, 100+ instructor-led technology workshops, 60+ Microsoft Immersion workshops, and 50+ hands-on labs with access to expert proctors! That's great!

Did I mention that likely hundreds of Microsoft's own experts were also there, and collectively, they covered numerous vital areas such as Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc.

So, with over 1000 sessions, 1000s of attendees, access to "expert proctors", and 100s of Microsoft's very own IT experts, one would hope THERE MUST'VE BEEN AT LEAST ONE PERSON AT MICROSOFT IGNITE 2018 who could have answered A VERY SIMPLE QUESTION -

       Question: What's The World's Most Important Active Directory Security Capability?

This is paramount, and here's why. In case you're wondering why anyone, and everyone who attended Microsoft Ignite 2018 should care about this question AND know the answer, its because in any Microsoft Windows Server based IT Infrastructure, NOT A SINGLE ONE of the many vital areas listed above i.e. Securing the Enterprise, Simplified IT Management, Identity‚ Access & Compliance, Enterprise Security etc. etc. can be adequately addressed without involving Active Directory Security.

In fact, here's proof - 

Not a single one of the following fundamental cyber security / Windows security questions can be answered without knowing the answer to the question above and possessing that capability -

  1. Who can reset the passwords of any/every Domain Admin in an organization?

  2. Who can disable two-factor authentication on privileged and other domain user accounts?

  3. Who can change the membership of the Domain Admins group, or of any domain security group?

  4. Who can use Mimikatz DCSync to completely compromise the credentials of all domain user accounts?

  5. Who can delete an(y) Organizational Unit (OU) in a(ny) of the organization's Active Directory domains?

  6. Who can link a malicious group policy to an OU to instantly compromise all domain computer accounts in that OU?

  7. Who can modify the attributes of a mission-critical service's service connection points to instantly render it useless?

  8. Who can set the "Trusted for Unconstrained Delegation" bit on a server's domain account to compromise security*?

  9. Who can create, delete and manage domain user accounts, domain security groups, OUs etc. in Active Directory?

  10. Who can control/change privileged access as well as delegated access within and across the entire Active Directory?

Each and every single organization whose IT personnel / CISOs attended Microsoft Ignite 2018 (including Microsoft itself) must have precise answers to each and every one of the above listed fundamental cyber security questions at all times.

So, if anyone who attended Microsoft Ignite 2018 (including Microsoft's own experts) knows the answer to this 1 question, please be my guest and answer the question by leaving a comment at the end of that blog post, and you'll earn my respect.

If you don't know the answer, I highly recommend reading, one, two and three, because without knowing the answer to this question (and without possessing this capability,) you cannot secure anything in an Active Directory based Windows network.

The last time I checked, virtually the whole world runs on Active Directory.

Best wishes,

Friday, September 28, 2018

A Few Notable Names in the Active Directory (AD) / AD Security Space


Today I wanted to take a moment to share a few notable names in the Active Directory space, of those individuals who I feel have done a lot to help IT admins and IT personnel worldwide better understand Active Directory and Active Directory Security.

Oh, and for those wondering who I am to come up with such a list, I'm a nobody whose work however likely impacts everybody, and here's a very small sample of my work -
  1. AdminSDHolder
  2. Kerberos Token Bloat
  3. Mimikatz DCSync Mitigation
  4. Active Directory Privilege Escalation
  5. Active Directory Effective Permissions 
  6. Active Directory ACLs - Attack and Defense
  7. How to Discover Stealthy Admins in Active Directory
  8. How to Thwart Sneaky Persistence in Active Directory 
  9. How to Easily Solve the Difficult Problem of Active Directory Botnets
  10. and of course, the 30-day series on Active Directory Security School for Microsoft

BTW, in the next few days, you can expect much more, including What Constitutes a Privileged User in Active Directory, The Most Important Active Directory Security Capability, How to Make an Organization's Domain Admins Powerless in 2 Minutes, How to Actually Secure and Defend an Active Directory, Breach to 0wned in 5 Minutes, Defending Active Directory and more.

But this isn't about me, so lets keep reading.

A Few Notable Names in the Active Directory / Active Directory Security Space

Without further adieu, I'd like to take a moment to share a few notable names in the Active Directory / Active Directory Security space, as I feel that in the last 10 to 20 years, these individuals have done a lot to helps hundreds of thousands (if not millions) of IT admins and personnel worldwide, better understand various aspects of Active Directory and Active Directory Security.

So here's a list of a few notable folks in the Active Directory space, listed in no particular (i.e. random) order -

  1. Joe Richards - Joe is one of the most knowledgeable and experienced folks in the Active Directory space.

  2. Daniel Ulrichs - Daniel is one of the most knowledgeable and experienced folks in Active Directory Security.

  3. Christoffer Andersson - Christoffer, a longtime Directory MVP is very knowledgeable in Active Directory.

  4. Robbie Allen - Robbie needs no introduction in the space and is the author of multiple books on Active Directory. 

  5. Santhosh Sivarjan - Santhosh has been working on Active Directory for years and is very knowledgeable.

  6. Guido Grillemeier - Guido is amongst the most knowledgeable and finest Active Directory Security experts out there.

  7. Brian Desmond - Brian is a recognized Microsoft infrastructure expert with years of experience.

  8. Derek Seaman - Derek is a highly experienced Active Directory practioner, now focused on virtualization.

  9. Sander Berkouwer - Sander is a multiple-time Directory Services MVP and has been working on AD for years.

  10. John Craddock - John is an accomplished Microsoft MVP who has been working on AD since pre-Windows 2000.

  11. Alistair G. Lowe-Norris - Alistair too needs no introduction and is the author of several books on Active Directory. 

  12. Jorge de Almeida Pinto -  Jorge, a multiple time MVP, is a highly experienced Active Directory consultant/engineer.

  13. Brian Puhl - Brian is a highly experienced Active Directory Domain Admin, and is one of Microsoft IT's finest.

  14. Gil Kirkpatrick - Gil is one of the most recognized and experienced Active Directory experts out there.

  15. John Savill - John is a 11-time Microsoft MVP currently focused on Microsoft Azure.

  16. Ulf Simon-Weidner - Ulf is an 8-time MVP, an MCT, and has been working on Active Directory since Windows 2000.

  17. Sean Deuby - Sean is a highly experienced IT Architect and has been working on Active Directory since Windows 2000.

  18. Jimmy Andersson - Jimmy is a highly experienced AD expert, and has been awarded Microsoft MVP for 20 years now

  19. Mark Parris - Mark is an experienced AD consultant with almost two decades of experience on Active Directory 

  20. Jackson Shaw - Jackson is a longtime Active Directory veteran, who is very knowledgeable and well-known. 

In my opinion, the work, efforts and contributions of these individuals, whether it be in the form of sharing knowledge on blogs, answering questions on forums, providing feedback, presenting at conferences, or helping organizations directly, have likely helped millions of IT folks worldwide better understand various aspects of Active Directory and Active Directory security.

There are many more folks out there who have been working on Active Directory and Active Directory Security for years now, such as the hundreds of incredible folks who work for Microsoft Consulting Services, as well as other organizations in the Active Directory space such as Quest Software, HP Services and others, so if I may have unintentionally missed a few names I'm sorry. If you know of someone whose name you feel should be on this list, please leave me a comment below to let me know.

In addition, there are also a few notable new comers to the Active Directory / Active Directory Security space who have been working very hard and are making an impact, and this post wouldn't be complete without recognizing the new comers as well, so here they are (shared in random order) - Sean Metcalf, Andy Robbins, Will Schroeder and Lucas Bouillot to name a few.

Of course, I should also mention that in the list above, I haven't included my former Microsoft colleagues on the Active Directory Dev Team, because if I did so, the list would be long. Oddly enough, I think most of them may be working on Azure now ;-)

That's all for today. In the next two weeks, I'm going to answer this question to help Microsoft and organizations worldwide.

Best wishes,

Monday, September 24, 2018

Pardon the Absence, and Get Ready!


Hello again. I trust this finds you all doing well. It has been a few weeks since I last blogged. I hope you'll pardon my absence.

Yes I was supposed to answer a rather important question, in fact, possibly the world's most important cyber security question, for the whole world, back in July, but I had to postpone doing so, for a few good reasons, which I may reveal in days to come.

Let's just say that amongst other things (e.g. a rather interesting trip across the Atlantic), I was working on finalising a project that directly impacts cyber security worldwide today, you know, the kind of stuff that even James Bond doesn't have yet!

By the way, speaking of Mr. Bond, as you probably know, I'm a huge fan, so thought I'd share a catchy tune with you -

Oh, that project I was working is almost over (i.e. RC1), so its time for me to get back to blogging, and...     … well, get ready!

Best wishes,

Monday, July 9, 2018

What's The World's Most Important Active Directory Security Capability?


A few days ago, I had asked likely the most important Cyber Security question in the world today, one that today DIRECTLY impacts the foundational cyber security of 1000s of business and government organizations across 190 countries worldwide.

Here It Is -

What Is the 1 Essential Cyber Security Capability Without Which NOT a Single Active Directory object, domain, forest or deployment can be adequately secured?

I had even provided a hint - it controls exactly who is denied and who is granted access to literally everything within Active Directory, and it comes into play every time anyone accesses anything in any Active Directory domain in any organization.

Thusfar, thousands of IT professionals from across the world, including some of the world's most famous/renowned Windows and Active Directory Security experts and CISOs, as well as Microsoft employees, have all seen the question on my blog.

Unfortunately, not ONE individual in the world (okay, except one) has answered this ONE most simple and basic question yet!

Why Not?

Do organizations worldwide NOT know the answer, OR are they afraid to answer it because they don't possess this capability?

Let's find out. To help organizations worldwide, including Microsoft, figure out the answer, I'm going to give a few more hints.

A Few More BIG Hints

Ladies and Gentlemen, NOT a single organization in the world whose IT infrastructure operates on Microsoft Active Directory, can fulfill even ONE of the following mission-critical IT and cyber security needs without possessing this ONE capability -

  1. Adequately secure their foundational Active Directory

  2. Adequately mitigate the risk posed by the use of Mimikatz DCSync

  3. Adequately mitigate the risk posed by Active Directory Privilege Escalation

  4. Accurately identify privileged users in their foundational Active Directory domains

  5. Accurately discover stealthy admins in their foundational Active Directory domains

  6. Adequately protect all organizational computers and user accounts (including C*O accounts)

  7. Adequately secure mission-critical Active Directory integrated applications (e.g. Exchange, Centrify)

  8. Securely integrate their on-premises Active Directory deployments with Microsoft Azure in the "Cloud"

  9. Correctly demonstrate regulatory compliance of access privileged provisioned within their Active Directory

  10. Reliably control the distribution and delegation of administrative authority in their foundational Active Directory

Let me repeat it again so there is NO ambiguity - not a single one of the above mission-critical IT and cyber security needs can be fulfilled without possessing this ONE capability, only because it is technically impossible to do so without this ONE capability.

I'll Make it Easy

Ladies and Gentlemen, Active Directory has been around for almost two decades now, and yet most organizations worldwide do not currently possess this ONE essential, fundamental and paramount cyber security capability yet. The reason they don't currently possess it is likely that they may not even know about it, and that sounds as unbelievable to me as it does to you!

If they haven't figured it out in almost TWO decades, they're not likely to figure it on their own, so let me make it easy for them.

It is ONE of the following five Active Directory Security Capabilities -
  1. Active Directory Auditing
  2. Active Directory Permissions/ACL Analysis
  3. Active Directory Effective Permissions/Access
  4. Microsoft Advanced Threat Analytics (aka ATA)
  5. <You can throw in all the latest buzzwords here e.g. Privileged Identity/Account Management, Zero Trust, blah blah etc >

Here's one FINAL hint. If you possess this ONE capability (on the right object in Active Directory,) then you can also easily turn off i.e. deactivate, disable, and/or render useless, all of the other listed security capabilities in an Active Directory deployment!

So, which ONE is it ?

Make No Mistake + Only Two Kinds of Organizations

Make no mistake about it - one simply CANNOT adequately protect anything in any Active Directory WITHOUT possessing this ONE capability, and thus one simply cannot protect the very foundation of an organization's cyber security without possessing this ONE paramount cyber security capability. It unequivocally is as remarkably simple, elemental and fundamental as this.

Thus, today there are only two kinds of organizations worldwide - those that possess this paramount cyber security capability, and those that don't. Those that don't possess this essential capability do not have the means to, and thus cannot adequately protect, their foundational Active Directory deployments, and thus by logic are provably and demonstrably vastly insecure.

My Concern - This Impacts Organizational Security Worldwide

I hope that with the hints I've provided above, organizations worldwide will finally realize what this ONE essential capability is.

More importantly, I hope that at organizations worldwide, IT personnel, Domain Admins, CISOs and CIOs realize and recognize that without possessing this ONE essential and paramount Active Directory Security capability, their $ Billion organizations may currently be operating on a highly vulnerable foundation, which is a matter so serious that it should concern all stakeholders.

I'll answer this question sometime between now and July 16, 2018 at the Cyber Security Blog.


Thursday, June 21, 2018

Can Anyone (i.e. any Cyber Security Company or Expert) Help Thousands of Microsoft's Customers MITIGATE the Risk Posed by Mimikatz DCSync?


Over the years, I've asked and answered some of the hardest questions in Active Directory Security, so today I'm only going to ask a question, with the hope that there is someone out there, and I mean anyone, who is the answer to this question!

Here's my Question -
Can Anyone in the World (i.e. any Cyber Security Company or Expert) Out There Help Thousands (1000s) of Microsoft's Organizational Customers Mitigate the Serious Cyber Security Risk Posed by Mimikatz DCSync?


There are 6,000,000,000+ people across 190+ countries worldwide, there are millions of IT personnel employed at 1000s of organizations, there are 1000s of cyber security experts and over a 1000 cyber security companies. I'm looking for just ONE.

By the way, by mitigate, I mean "render Mimikatz DCSync unusable in an AD environment" in that, say in an organization that had 10,000 employees and thus had 10,000 domain user accounts, and say 10 privileged users, even if every single one of these 10,000 accounts had been compromised by a perpetrator, he/she still couldn't use Mimikatz DCSync against their AD.

Also, I'm looking for an answer that's beyond the most obvious answer, which is to not grant anyone the required access. In other words, I'm looking for an answer that will work in every real, production Active Directory domain in the world, you know, wherein various default Active Directory security groups and users are already granted various permissions in Active Directory.

Here's what I've found thus far -
  1. This brilliant, gentle, highly-accomplished cyber security expert developed Mimikatz DCSync
  2. This AD security enthusiast educated the world about its usage, exploitation and detection (but not about its mitigation)
  3. This famous cyber security expert showed an example in action (; Oh my! ;-))
  4. This expert shared some guidance on how to detect it (; if you're detecting it, its likely too late)
  5. These cyber security experts don't seem to know that much about it, or about Active Directory Security
  6. These wonderful folks present an inaccurate script to help detect who can use Mimikatz DCSync
I could go on and on sharing the identities of so many who talk about it, but there isn't a single one who can help mitigate it :-(

Not to mention the 1000+ cyber security companies, including some big names such as (mentioned in no particular order) Palantir, Gemalto, Tanium, Tripwire, CheckPoint, Palo Alto Networks, Symantec, McAfee, Cisco, Kaspersky Labs, CrowdStrike, SentinelOne, BAE Systems, Qualys, Sophos, Gemalto, CyberArk, ZScaler, Preempt, BeyondTrust, Quest, HP, etc. etc.!

Oh, here's the amusing part - in all likelihood, most of these cyber security companies too very likely run on Active Directory, and if I had to guess, I don't think even one of them, know how to, or possess the means to mitigate Mimikatz DCSync!

Funny haan? ;-)

Why Does this Matter?

By now, I shouldn't have to tell anyone involved in Active Directory or cyber security why this matters, but I will nonetheless -

Most simply put, should a perpetrator be able to successfully run Mimikatz DCSync against your foundational Active Directory domain, you're DONE, as it would be tantamount to a massive, systemic cyber security breach. The entirety of your user populace's credentials would have been compromised, and the perpetrator would have obtained control over your entire Active Directory forever. It would be time for everyone, including all Domain Admins, the CISO, the CIO and the CEO to find another job (assuming you can find one, considering your resume would highlight your previous employment, and since your previous employer (i.e. the one that was breached) would likely have been all over the news for quite some time, it may perhaps end up being a little difficult to find suitable employment.)

How about an Illustrative Scenario?

Sure, if you'd like one, here you go -  A Massive Breach at a Company whilst it was Considering the Cloud.

A Request

We often come across Domain Admins, and every now and then CISOs, who have no idea what Mimikatz DCSync is, and that is scary. If you are such a Domain Admin / CISO, my earnest request to you would be to immediately learn about it, or, in the best interest of your employer's foundational cyber security, please let someone else take over your vital responsibilities.

Let Me Know

Very well then. If ANYONE in the world knows ANYONE who can help (and by that I mean  possesses the capability to be able to help) thousands of organizations worldwide (easily and correctly) MITIGATE the serious risk posed by Mimikatz DCSync, please let me know. I'm all ears, and I think, so are thousands of organizations worldwide, including perhaps Microsoft too ;-).

In short, I'm looking for someone/thing that could render the extremely powerful and dangerous Mimikatz DCSync, unusable. With 6 billion people, millions of IT and cyber security pros, and a 1000+ cyber security companies worldwide, I'm hopeful.

So if you know of someone (and I mean, anyone) who can do so, please let me know by leaving a comment below.

If I don't get an answer by July 02, perhaps I'll take a shot at the answer, over at -

Best wishes,

PS: On an unrelated note, when you use Windows Update
       to update your Windows 10 PC every week, do you
       EVER check to see just what got downloaded?
       Perhaps you SHOULD, and here's why.

July 03 Update. Here's the answer >

Tuesday, June 19, 2018

Some Interesting Figures from an Active Directory ACL Dump of Security Permissions from a default Windows Server 2016 Active Directory Domain


I had only 2 minutes to blog today, so within the 2 minutes I had, I thought I'd generate, put together and share some interesting figures about the default Active Directory security permissions in a Windows Server 2016 based Active Directory domain.

It took a mere 3 seconds to do a domain-wide ACL dump of a Windows Server 2016 based Active Directory domain -

Active Directory Domain-wide ACL Dump

Domain-wide ACL Dump Download URL

You can download the entire actual domain-wide ACL dump from here.

Some Interesting Figures

Here are some interesting figures that took a minute to put together -
  • Total number of object classes instantiated in domain partition: 40
  • Total number of Active Directory objects in the domain: 242
  • Total number of Active Directory ACLs (duh, obviously!): 242
  • Total number of Active Directory security permissions (aka ACEs): 6677
  • Total number of explicit Active Directory security permissions: 1323
  • Total number of inherited Active Directory security permissions: 5354  
  • Total number of inherit-only Active Directory security permissions: 3746
  • Total number of unique security principals for whom permissions are specified: 27
  • Total number of objects whose ACLs were marked "Protected" : 20

  • Total number of Allow security permissions: 6677
  • Total number of Deny security permissions: 0
  • Total number of security permissions specified for Domain Admins: 246
  • Total number of security permissions specified for Enterprise Admins: 230
  • Total number of security permissions specified for Administrators: 231
  • Total number of security permissions in the ACL of the AdminSDHolder object: 24
  • Total number of security permissions in the ACL of the domain root objects: 53
  • Total number of specific extended rights specified in these security permissions: 19
  • Total number of attribute-specific write-property security permissions: 15

The exact security permissions can be viewed in the downloadable ACL dump (link provided above).

Unique Security Principals

Here's the list of the 27 unique security principals for whom security permissions are granted in the domain -
  1. Pre-Windows 2000 Compatible Access
  2. Cloneable Domain Controllers
  3. Enterprise Read-only Domain Controllers
  4. Domain Controllers
  5. Key Admins
  6. Enterprise Key Admins
  7. Creator Owner
  8. Self
  9. Enterprise Domain Controllers
  10. Administrators
  11. Incoming Forest Trust Builders
  12. Authenticated Users
  13. Domain Admins
  14. Enterprise Admins
  1. Everyone
  2. System
  3. Account Operators
  4. Print Operators
  5. Group Policy Creator Owners
  6. RAS and IAS Servers
  7. Domain Computers
  8. Network Service
  9. Cert Publishers
  10. Windows Authorization Access Group
  11. Terminal Server License Servers
  12. DnsAdmins
  13. DC1 (<domain computer account>)

The exact permissions granted to each one of these security principals can be viewed in the ACL dump (; link provided above).

Instantiated Object Classes

Here's the list of the 40 object classes, instances of which exist in the domain -

  1. Domain-DNS
  2. Container
  3. Organizational-Unit
  4. Lost-And-Found
  5. Infrastructure-Update
  6. ms-DS-Quota-Container
  7. Rpc-Container
  8. File-Link-Tracking
  9. Link-Track-Volume-Table
  10. Link-Track-Object-Move-Table
  11. Domain-Policy
  12. Class-Store
  13. Group-Policy-Container
  14. NTFRS-Settings
  15. Dfs-Configuration
  16. Ipsec-Policy
  17. Ipsec-ISAKMP-Policy
  18. Ipsec-NFA
  19. Ipsec-Negotiation-Policy
  20. Ipsec-Filter
  1. ms-DS-Password-Settings-Container
  2. ms-Imaging-PSPs
  3. TPM-InformationObjectsContainer
  4. User
  5. Builtin-Domain
  6. Group
  7. Foreign-Security-Principal
  8. Sam-Server
  9. Computer
  10. RID-Manager
  11. RID-Set
  12. ms-DFSR-GlobalSettings
  13. ms-DFSR-ReplicationGroup
  14. ms-DFSR-Content
  15. ms-DFSR-ContentSet
  16. ms-DFSR-Topology
  17. ms-DFSR-Member
  18. ms-DFSR-LocalSettings
  19. ms-DFSR-Subscriber
  20. ms-DFSR-Subscription

Each instance of these object classes, and their complete ACLs can also be viewed in the ACL dump (;link provided above).

Permission-Specific Breakdown

Finally, here's a breakdown of the number of security permissions of each Active Directory permission type -
  • Number of security permissions (ACEs) granting Read Control (RC): 1977
  • Number of security permissions (ACEs) granting List Child (LC): 2171
  • Number of security permissions (ACEs) granting List Object (LO): 1968
  • Number of security permissions (ACEs) granting Read Property (RP): 5704
  • Number of security permissions (ACEs) granting Write Property (WP): 2072
  • Number of security permissions (ACEs) granting Create Child (CC): 1001
  • Number of security permissions (ACEs) granting Delete Child (DC): 779
  • Number of security permissions (ACEs) granting Standard Delete (SD): 803
  • Number of security permissions (ACEs) granting Delete Tree (DT): 586
  • Number of security permissions (ACEs) granting Extended Right (CR): 1299
  • Number of security permissions (ACEs) granting Validated Write (SW): 1389
  • Number of security permissions (ACEs) granting Modify Permissions (WD): 978
  • Number of security permissions (ACEs) granting Modify Owner (WD): 978

Finally, the exact ACEs that specify each one of these permissions can also be viewed in the ACL dump (;link provided above).

Detailed Security Permissions Analysis

Time permitting, you can analyze the entire ACL dump to perform detailed Active Directory security permissions analysis. Since the tooling splits the permissions field up into individual columns for permissions, it makes it very easy to analyze these ACLs.

For instance, you can easily find out exactly what security permissions are granted to a specific user or group, or find out exactly which users or groups are granted a specific Active Directory permission. You can also easily identify all inherit-only security permissions, as well as all Allow permissions, Deny permissions, Explicit permissions, Inherited permissions etc. etc.. I could go on with many more interesting facts/figures, but I'll stop here because my 2 minutes are up :-).

BTW, this is super easy and what we consider child's play (which is also why I didn't want to give this more than 2 minutes of my time.) Since it took just 3 seconds to dump these ACLs, I was happy to give it 2 minutes ; Oh, and we use our own tooling.

Alright then, my 2 minutes are up, so back to work.