How can I see who has the permission to retrieve Active Directory data?

permissions active-directory

I discovered sensitive data within my Active Directory groups in the "description" field. How can I see which users have read access to that data?


Solution 1:

The "List contents" permission is used to list the entries within Active Directory and the "Read all properties" permission is used to read the contents. By default, "Authenticated Users" are given both "List contents" and "Read all properties" permissions. You can examine the permissions for "Authenticated Users" directly by doing the following:

  1. Launch "Active Directory Users and Computers"
  2. Click the menu: View -> Advanced Features
  3. Right click on "Domain Tree" and select "Properties"
  4. Click the "Security" tab
  5. Click on "Advanced"
  6. Click on the "Effective Access" tab
  7. Click on "Select a user" and enter "Authenticated Users"
  8. Click on "View Effective Access"
  9. You can see that "List contents" and "Read all properties" are both checked to be available.

Related

Determine IAM requirements for Cloudformation Stack
Uwsgi and flask with unix socket instead of URL
Automator action not supplied with the required data
iOS WriteRoom editor feature replacement?
Power suply Watts and charging time - Apple iphone
How can I make iTerm2 *cd* into a directory by clicking on *ls* results?
Traveling to US - Do I need to step up / down for Macbook Pro (2016)
Show header only on first page on Pages
How can I use my MacBook Pro (Retina, 13-inch, Mid 2014) with the LG UltraFine 4K display?
Applescript error -1708 when calling a function
Customise iTerm sudo password prompt
Open multiple urls from Terminal