1

Hello,

I am fairly new to the Cybersecurity Field (just coming up on my anniversary actually). I am currently a Data Security Analyst and I am working on a project to ensure our users’ access follows the principle of least privilege. Our security team is very small, and we inherited (from previous administrators) kind of a monster in AD. We have thousands of AD groups that grant folder permissions (and many of these groups do not even have descriptions detailing what access they grant), which as you can imagine is very complicated to be the administrator for.

I wanted to take on a project to organize AD and implement a sort of role-based access control, where AD groups are more obvious and instead of having thousands of them, we can just have them based on a user’s role. This group would then grant users access to only the folders they need access to.

To tackle this, I was wondering if there is a powershell script that will find what folder permissions a particular AD group has and export that into a csv. For instance, this AD group has modify access to these folders. I am not very familiar with powershell (trying to learn) so I am not even sure if what I am looking for is possible.

I’d appreciate any recommendations :slight_smile:

3 Spice ups
2

Take a look at the 3rd party utility called SetACL. It’s a great little utility that I have used in the past to generate a report of all ACLs on a share. It will generate a report for you that you can then filter and sort in Excel.

3

That’s the trick, see. In order to make these “role” groups, where a user is a member of a single group to do their job, you need all these other groups in the background that do the heavy lifting. I mean - if you want to make it easy to manage later on, anyway.

“Getting rid of all these groups,” usually comes from somebody who has a different background, doesn’t feel comfortable with AD, and gets lost in the OUs, doesn’t know a global group from a domain local group, and isn’t great with how nesting works. Usually - somebody who infrequently (if ever) actually manages access to the resources, who infrequently pops into ADUC and just wants it to “look better.” Not saying that’s you, but its not the first time I’ve seen or heard the proposal dozens of times before, and they all get shot down because while they look pretty, they do not survive first contact with reality.

Using a single group everywhere (file permissions, computer local groups, group policy targeting, sql permissions, ldap filters for integrated applications, federated or syncrhonized identity providers, SAML/SCIM-enabled third party applications, hosted web providers, etc) is just not scaleable.

The not documenting the groups - yeah, that’s a deal breaker. But lacking documentation, there should always be a naming standard for groups – the groups that live behind the scenese that nobody sees and somebody familiar with the environment should be able to ascertain what the group is used for by looking at it. I would say that for at least 90% of my groups, my colleagues should be able to determine exactly what each group is used for just by the name. Doesn’t matter though, descriptions are a must.

As for a script - nah. You want a dedicated tool for this – a former community member released one a while back, I still use it from time to time: Cjwdev | NTFS Permissions Reporter

4

Microsoft tool dsacls.exe may help with reporting Active Directory Permissions (either explicitly given or through OU delegation wizard}

dsacls “OU=TestOU,DC=domain,dc=com” will list AD permissions on TestOU, distinguishedname should be provided as parameter.