I had only 2 minutes to blog today, so within the 2 minutes I had, I thought I'd generate, put together and share some interesting figures about the default Active Directory security permissions in a Windows Server 2016 based Active Directory domain.
It took a mere 3 seconds to do a domain-wide ACL dump of a Windows Server 2016 based Active Directory domain -
Active Directory Domain-wide ACL Dump
|
Domain-wide ACL Dump Download URL
You can download the entire actual domain-wide ACL dump from here.
Some Interesting Figures
Here are some interesting figures that took a minute to put together -
- Total number of object classes instantiated in domain partition: 40
- Total number of Active Directory objects in the domain: 242
- Total number of Active Directory ACLs (duh, obviously!): 242
- Total number of Active Directory security permissions (aka ACEs): 6677
- Total number of explicit Active Directory security permissions: 1323
- Total number of inherited Active Directory security permissions: 5354
- Total number of inherit-only Active Directory security permissions: 3746
- Total number of unique security principals for whom permissions are specified: 27
- Total number of objects whose ACLs were marked "Protected" : 20
- Total number of Allow security permissions: 6677
- Total number of Deny security permissions: 0
- Total number of security permissions specified for Domain Admins: 246
- Total number of security permissions specified for Enterprise Admins: 230
- Total number of security permissions specified for Administrators: 231
- Total number of security permissions in the ACL of the AdminSDHolder object: 24
- Total number of security permissions in the ACL of the domain root objects: 53
- Total number of specific extended rights specified in these security permissions: 19
- Total number of attribute-specific write-property security permissions: 15
The exact security permissions can be viewed in the downloadable ACL dump (link provided above).
Unique Security Principals
Here's the list of the 27 unique security principals for whom security permissions are granted in the domain -
|
|
The exact permissions granted to each one of these security principals can be viewed in the ACL dump (; link provided above).
Instantiated Object Classes
Here's the list of the 40 object classes, instances of which exist in the domain -
|
|
Each instance of these object classes, and their complete ACLs can also be viewed in the ACL dump (;link provided above).
Permission-Specific Breakdown
Finally, here's a breakdown of the number of security permissions of each Active Directory permission type -
- Number of security permissions (ACEs) granting Read Control (RC): 1977
- Number of security permissions (ACEs) granting List Child (LC): 2171
- Number of security permissions (ACEs) granting List Object (LO): 1968
- Number of security permissions (ACEs) granting Read Property (RP): 5704
- Number of security permissions (ACEs) granting Write Property (WP): 2072
- Number of security permissions (ACEs) granting Create Child (CC): 1001
- Number of security permissions (ACEs) granting Delete Child (DC): 779
- Number of security permissions (ACEs) granting Standard Delete (SD): 803
- Number of security permissions (ACEs) granting Delete Tree (DT): 586
- Number of security permissions (ACEs) granting Extended Right (CR): 1299
- Number of security permissions (ACEs) granting Validated Write (SW): 1389
- Number of security permissions (ACEs) granting Modify Permissions (WD): 978
- Number of security permissions (ACEs) granting Modify Owner (WD): 978
Finally, the exact ACEs that specify each one of these permissions can also be viewed in the ACL dump (;link provided above).
Detailed Security Permissions Analysis
Time permitting, you can analyze the entire ACL dump to perform detailed Active Directory security permissions analysis. Since the tooling splits the permissions field up into individual columns for permissions, it makes it very easy to analyze these ACLs.
For instance, you can easily find out exactly what security permissions are granted to a specific user or group, or find out exactly which users or groups are granted a specific Active Directory permission. You can also easily identify all inherit-only security permissions, as well as all Allow permissions, Deny permissions, Explicit permissions, Inherited permissions etc. etc.. I could go on with many more interesting facts/figures, but I'll stop here because my 2 minutes are up :-).
BTW, this is super easy and what we consider child's play (which is also why I didn't want to give this more than 2 minutes of my time.) Since it took just 3 seconds to dump these ACLs, I was happy to give it 2 minutes ; Oh, and we use our own tooling.
Alright then, my 2 minutes are up, so back to work.
Thanks,
Sanjay
No comments:
Post a Comment