Buy

Home > Products > Gold Finger > Active Directory Effective Permissions Calculator

❮ ❯

Active Directory Effective Permissions Calculator

The world's only cyber security solution that can accurately calculate effective permissions in Active Directory.

"We are very pleased to see Paramount Defenses, a valued Microsoft partner, offer an innovative security solution (in Gold Finger) that helps enhance security and compliance in Active Directory environments."

Charles Coates, Senior Product Manager
Identity and Security Business Group

Overview

Organizations have a fundamental cyber security need to be able to accurately calculate effective permissions in Active Directory to secure and defend Active Directory, control and lockdown privileged access in Active Directory, implement Privileged Access Management (PAM), attain and maintain Least Privileged Access (LPA) and Zero Trust, securely manage identities and access in AD, and fulfill numerous Governance Risk and Compliance (GRC) requirements.

Active Directory Effective Permissions Calculator is a unique tool designed by former Microsoft Program Manager for Active Directory Security to help IT groups and personnel easily, instantly and trustworthily fulfill this need.

It automates the accurate determination of effective permissions (aka effective access) on Active Directory objects, to help identify exactly who actually has what access on an Active Directory object, and how, all at the touch of a button.

Unrivaled Active Directory Effective Permissions Capability

Instant, Accurate
Effective Permissions Calculation

There is one and only one correct way to accurately assess access in Active Directory and that involves accurately determining effective permissions on Active Directory objects. Unfortunately, doing so accurately is very difficult.

Our Active Directory Effective Permissions Calculator is the world's only tooling that can automatically accurately calculate effective permissions on an Active Directory object, and identify exactly who has which effective permissions, and how on any Active Directory object.

It also identifies the underlying security permissions and security group memberships that enable all such identified effective permissions, enabling organizations to quickly and easily lockdown excessive permissions in Active Directory.

Our Active Directory Effective Permissions Calculator can thus deliver instant, accurate effective permissions insights and uniquely enable you to find out exactly who has what effective permissions in Active Directory, and how.

Active Directory Effective Permissions Assessment

Fulfills a Fundamental
Active Directory Security Need

The need to know exactly who has what access on an Active Directory object is absolutely fundamental to its security.

Active Directory contains the entirety of an organization's building blocks of cyber security i.e domain user accounts, domain computer accounts and domain security groups, each one of them represented as an Active Directory object.

Each and every single Active Directory object is protected by the security permissions specified in its access control list (ACL), and it is the resulting (effective) set of permissions that determine who actually has what access on that object.

Consequently, it is the actual set of Active Directory Effective Permissions that users have on an Active Directory object that governs and control exactly who has what access, and thus who can do what on that Active Directory object.

Thus, the only way to know who actually has what access on an Active Directory object, and in fact on every single one of them, including who has what privileged access, is by determining effective permissions on Active Directory objects.

From every privileged account to every employee's account, and from Domain Admins to every group in Active Directory, not a single object in Active Directory can be secured without knowing exactly who has what effective permissions on it.

The need to be able to accurately determine effective permissions on Active Directory objects is thus fundamental.

Our Microsoft-endorsed Active Directory Effective Permissions Calculator uniquely enables organizations worldwide to be able to accurately calculate effective permissions on Active Directory objects, and thus fulfills a fundamental need.

Essential Cyber Security Insights

Active Directory Effective Permissions Calculator can instantly, automatically and accurately calculate the complete set of effective permissions allowed on any Active Directory object, thereby helping organizations identify exactly -

Who has class-specific [ Create Child | Delete Child ] effective permissions on an Active Directory object?
Who has [ Standard Delete | Delete Child | Delete Tree] effective permissions on an Active Directory object?
Who has [ Read All Properties | Write All Properties ] effective permissions on an Active Directory object?
Who has property-specific [ Read Property | Write Property ] effective permissions on an Active Directory object?
Who has [ List Child | List Object | Read Control ] effective permissions on an Active Directory object?
Who has [ Modify Owner | Modify Permissions ] effective permissions on an Active Directory object?
Who has [ Extended Right | Validated Write ] effective permissions on an Active Directory object?

It can make all these effective permission calculations in Active Directory accurately and instantly at the touch of a button.

Unique in Capability

Only Gold Finger Can accurately calculate effective permissions in Active Directory

Active Directory's rich security model lets organizations precisely provision access to fulfill various business needs, but unfortunately its complexity also makes it very difficult to accurately assess who has what access in Active Directory.

Specifically, given the technical complexity of Active Directory's rich security model, there exist numerous complicated security permissions (e.g. explicit, inherited, allow, deny, object-specfic, special rights etc.) within Active Directory ACLs, and they make it very difficult to accurately assess who currently actually has what access on Active Directory objects.

From a technical standpoint, there is one and only one correct way to determine who actually has what access on an Active Directory object and that is by determining Who has what effective permissions on an Active Directory object?

Unfortunately, many organizations do not know this fact, and determine "Who has what permissions in Active Directory," which is incorrect and delivers vastly inaccurate results, reliance upon which only leaves them substantially vulnerable.

Only Gold Finger's unique Microsoft-endorsed effective permissions calculation capabilities can accurately determine effective permissions in Active Directory, and thus only it can accurately assess who has what access in Active Directory.

Unrivaled in Capability

The need to know who has what access in Active Directory is absolutely paramount to organizational cyber security.

Our unique, unrivaled Microsoft-endorsed Gold Finger is the world's only tool that can instantly, accurately and automatically find out exactly who has what effective permissions on Active Directory objects, including how.

It can also instantly determine and reveal exactly what effective permissions a specific user has in Active Directory.

It accomplishes in mere minutes, what otherwise takes days,
and it does all this, and more, at the touch of a button.

Standard Mode

The Standard Mode (default) of Active Directory Effective Permissions Calculator enables organizations to instantly, accurately and automatically determine exactly who has what effective permissions on an Active Directory object, which one(s), and how.

For example -

Who has what effective permissions on the CEO's domain user account in Active Directory?
Who has what effective permissions on the Domain Admins security group in Active Directory?
Who has effective Modify Permissions on the AdminSDHolder object in Active Directory?
Who has effective Create Child permissions on the Corporate organizational unit (OU)?
Who has effective Standard Delete permissions on a specific service connection point?

Single-User Mode

The Single-User Mode of Active Directory Effective Permissions Calculator empowers organizations to instantly, accurately and automatically assess whether a specific user has any effective permissions on an Active Directory object, and if so which one(s), and how.

For example -

Does a specific user, John Doe, have effective Reset Password extended right on the CEO's domain user account?
Does a specfic user, Jane Doe, have effective Write Property Member on the Domain Admins security group?
Does a specific contractor have effective Modify Permissions on the AdminSDHolder object?
Does a specific user, Mark Smith, have effective Create Child User permissions on the Corporate OU?
Does a specific user, Stuart Chan, have effective Delete, or Delete Child permissions on the Global OU?

Features

Accurate Effective Permissions Analysis

Accurately calculate effective permissions on Active Directory objects

Complete Effective Permissions Analysis

Determine complete set of effective permissions allowed on an AD object

Real-time Fully-Automated Analysis

Instantly determine effective permissions on any AD object in real-time

Source Identification

Identify the exact permission that entitles a user to an effective permission

Export to CSV

Export effective permissions data for analysis, comparison and archival

Technical Summary

Active Directory Effective Permissions Calculator accomplishes the rare technical feat of automating the accurate determination of effective permissions on individual Active Directory objects, to help identify exactly who actually has what access on any and every object in any Active Directory partition, as well as identifying how they have this access.

Benefits

Accurately Audit AD Effective Permissions

Accurately calculate effective permissions on AD objects

Accurately Audit Access on AD objects

Find out who actually has what access on AD objects

Secure Your Foundational Active Directory

Assess and lockdown access on your entire AD attack surface

Complete Steps 1, 2 and 3 of your PAM Journey

Accurately discover privileged users in AD, secure them and control access

Demonstrate Regulatory Compliance

Correctly demonstrate compliance concerning privileged access in AD

Example Reports

The following real-world examples illustrate the Active Directory Effective Permissions Calculator's unique capabilities -

Find out exactly who has what effective permissions on the Domain Admins privileged group in Active Directory.
Determine exactly who has Write Property - Member effective permissions on the Domain Admins group.
Find out exactly who has Change Schema Master extended right effective permissions on the Schema partition root.
Find out exactly who has Get Replication Changes All extended right effective permissions on the domain root object.
Identify exactly who has Delete or Delete Tree effective permissions on a top-level OU containing thousands of objects.
Determine exactly who has Create Child - User effective permissions on a top-level organizational unit in Active Directory.
Find out exactly who has Modify Permissions effective permissions on the domain root object or on the AdminSDHolder object.
Find out exactly who has Write Property - userAccountControl effective permissions on a critical server's domain computer object.
Determine exactly who has Apply Group Policy extended right effective permissions on the Domain Controllers organizational unit.
Determine exactly who has Reset Password extended right effective permissions on the default Administrator domain user account.

Requirements and Licensing

Active Directory Effective Permissions Calculator can be instantly downloaded, installed and run on any Windows computer. Its use does not require any administrative privileges, any changes to or any knowledge of Active Directory.

The tool is licensed on a subscription model, and can be licensed on an annual basis.

"We use the Gold Finger from Paramount Defenses to fulfill our Active Directory Audit needs. It saves us a lot of time and effort and we would recommend it to anyone who needs to perform Active Directory audits trustworthily and cost-effectively. Great product, great support."

Sean Seeliger, Architect