Score:-1

How can I see who has the permission to retrieve Active Directory data?

ar flag

I discovered sensitive data within my Active Directory groups in the "description" field. How can I see which users have read access to that data?

Semicolon avatar
jo flag
asking and answering your own question in under a minute?
ar flag
"To be crystal clear, it is not merely OK to ask and answer your own question, it is explicitly encouraged." https://stackoverflow.blog/2011/07/01/its-ok-to-ask-and-answer-your-own-questions/
Semicolon avatar
jo flag
And now I know. Thank you.
Score:2
ar flag

The "List contents" permission is used to list the entries within Active Directory and the "Read all properties" permission is used to read the contents. By default, "Authenticated Users" are given both "List contents" and "Read all properties" permissions. You can examine the permissions for "Authenticated Users" directly by doing the following:

  1. Launch "Active Directory Users and Computers"
  2. Click the menu: View -> Advanced Features
  3. Right click on "Domain Tree" and select "Properties"
  4. Click the "Security" tab
  5. Click on "Advanced"
  6. Click on the "Effective Access" tab
  7. Click on "Select a user" and enter "Authenticated Users"
  8. Click on "View Effective Access"
  9. You can see that "List contents" and "Read all properties" are both checked to be available.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.