4.1 - Access Control (ACL/ACE)
Access Control List (ACL)
An Access Control List (ACL) is a collection of rules that specify access permissions for an object in Active Directory. Every AD object (users, groups, organizational units, shared resources, etc.) has an associated ACL that determines who can access it and what operations they can perform.
There are two main types of ACLs:
Discretionary Access Control List (DACL) – Defines which users or groups are allowed or denied access.
System Access Control List (SACL) – Used for auditing access attempts.
Example: Viewing ACLs in PowerShell
To view the ACL of an AD object, you can use PowerShell:
$object = Get-ADUser -Identity "JohnDoe"
(Get-Acl -Path "AD:$($object.DistinguishedName)").AccessThis command retrieves the ACL entries for the user JohnDoe.
Access Control Entity (ACE)
An Access Control Entry (ACE) is an individual rule within an ACL that defines specific permissions granted or denied to a user or group.
Each ACE includes:
The Security Principal (user, group, or computer to which permissions apply).
The Access Mask (specific permissions such as read, write, delete, etc.).
The Access Type (Allow or Deny).
Example: Understanding ACEs
An ACE might specify that:
User Alice has Full Control over an Organizational Unit (OU).
Group HelpDesk has Read and Write permissions to modify certain user attributes.
User Bob is explicitly denied the ability to delete an object.
Managing ACLs and ACEs in Active Directory
Administrators can modify ACLs and ACEs using graphical tools like Active Directory Users and Computers (ADUC) or command-line tools like PowerShell.
Viewing ACLs in GUI
Open Active Directory Users and Computers (ADUC).
Enable Advanced Features (View > Advanced Features).
Right-click an object and go to Properties > Security tab.
Modifying ACLs Using PowerShell
To add an ACE granting a user full control over an object:
$acl = Get-Acl "AD:CN=JohnDoe,OU=Users,DC=example,DC=com"
$identity = New-Object System.Security.Principal.NTAccount("example.com\Alice")
$permission = [System.DirectoryServices.ActiveDirectoryRights]::GenericAll
$accessRule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule($identity, $permission, "Allow")
$acl.AddAccessRule($accessRule)
Set-Acl -Path "AD:CN=JohnDoe,OU=Users,DC=example,DC=com" -AclObject $aclThis script grants Alice full control over the user JohnDoe.
Best Practices for Managing ACLs and ACEs
Follow the Principle of Least Privilege (PoLP) – Assign only the necessary permissions to users and groups.
Use Groups Instead of Individual Users – Assign permissions to security groups instead of specific users to simplify management.
Monitor and Audit ACL Changes – Regularly review ACLs and configure SACLs to track changes and access attempts.
Avoid Explicit Deny ACEs – Use Allow rules whenever possible, as Deny rules override all allow permissions.
Regularly Review ACLs – Periodically check permissions to remove unnecessary access and improve security.
Enumerate ACL/ACE using PowerView
Get the ACLs associated with the specified object
Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDsGet the ACLs associated with the specified prefix to be used for search
Get-DomainObjectAcl -SearchBase "LDAP://CN=DomainAdmins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -VerboseGet the ACLs associated for Domain Admins
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -VerboseAnalyze Trust Relationships (Displays trust relationships between domains)
Get-NetDomainTrustCheck ACLs on AD Objects (Shows ACLs for a specific user account, resolving GUIDs to human-readable names)
Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDsSearch for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDsGet ACLs where studentx has interesting permissions
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student867"}Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"
Another good way is using BloodHound.
Labs
Refers to Learning Object 2 lab
Last updated