How can I see who has the permission to retrieve Active Directory data?
I discovered sensitive data within my Active Directory groups in the "description" field. How can I see which users have read access to that data?
Solution 1:
The "List contents" permission is used to list the entries within Active Directory and the "Read all properties" permission is used to read the contents. By default, "Authenticated Users" are given both "List contents" and "Read all properties" permissions. You can examine the permissions for "Authenticated Users" directly by doing the following:
- Launch "Active Directory Users and Computers"
- Click the menu: View -> Advanced Features
- Right click on "Domain Tree" and select "Properties"
- Click the "Security" tab
- Click on "Advanced"
- Click on the "Effective Access" tab
- Click on "Select a user" and enter "Authenticated Users"
- Click on "View Effective Access"
- You can see that "List contents" and "Read all properties" are both checked to be available.