Active Directory Permissions Analyzer

User's Guide

2. Getting Started

Getting started with Gold Finger takes just a few minutes and involves three simple steps -

1. Download and install Gold Finger

   Navigate to your custom license download URL, locate the Gold Finger download link and click on it to download the Gold-Finger.zip package onto the computer on which you wish to install the application.

   Next, unzip the package, verify the digital signature on the unzipped Gold-Finger.msi installer file and then double-click it to launch the installer. The installer will ask a few basic questions and then proceed to install Gold Finger.




2. Download and install your Gold Finger License

   Navigate to your custom license download URL, locate the Gold Finger License download link and click on it to download the Gold_Finger_License.zip package onto the computer on which you wish to install the application.

   Next, unzip the downloaded package, and locate the GFLic.dll file within the unzipped Gold_Finger_License folder. Verify the digital signature on the GFLic.dll file, and then copy it into the Gold Finger installation directory.

   Note - In a default installation, the Gold Finger installation directory is C:\Program Files (x86)\Paramount Defenses\Gold Finger.

   
   

3. Launch Gold Finger

   Click the Start menu, locate the Paramount Defenses folder, then locate the Gold Finger application link and click on it. Please give it a few moments whilst Gold Finger performs a few basic security checks before it opens.

   Note - Should you wish to use alternate credentials or target a specific domain controller, you can do so via Basic Options.

3. Exploring the User Interface

Gold Finger's sheer simplicity is reflected in its minimalist user interface, comprised of the following elements -

4. Analyzing Permissions

To analyze permissions in an Active Directory domain, organizational unit (OU) or container, or on any specific object in a domain, select the Permissions Analyzer from the Tool Selector, then enact the following four steps -

1. Select a report

   In the Reports pane, select the Who has what permissions in an Active Directory tree report by clicking on it.

   Note - Alternatively, to analyze permissions in a specific object's ACL, select Who has what permissions on an Active Directory object.




2. Specify permissions analysis criteria

   Next, using the Find fields, i.e. the Analysis Criteria Specification fields, specify your permissions analysis criteria -

   Type { Both, Explicit, Inherited }   Grant { Both, Allow, Deny }   Permission { Any, Specific, Specific + Schema element*, Any Modify, All } and  Granted to { all principals, user accounts, computer accounts, security groups, well-known-FSPs, a specific principal }

   * You can specify inidividual Schema elements. To do so, click Alt-R to load the Schema, then use the + button to specify the element.




3. Specify a scope

   In the Scope field, enter the distinguished name (DN) of the AD domain, OU, container or object you wish to target.

   Note - You can use Gold Finger's inbuilt search utility to instantly and easily locate and determine the DN of any Active Directory object.

   Note 2 - You can optionally also configure scope options to customize the report's scope and depth, and/or specify a custom LDAP filter.




4. Click a button - Click the Gold Finger (Run) button, and the tool will proceed to analyze permissions.

5. Analyzing Results

Once Gold Finger has successfuly completed analyzing permissions, it presents the results intuitively using three user-inteface elements, the Who, Where and What panes, to be be analyzed as described below -

1. Identifying Who has permissions that meet the specified criteria

   The list of all security principals that meet the specified criteria in the specified scope is displayed in the Who pane.




2. Identifying Where they have such permissions and What ACEs contain them

   A - If you selected the report Who has what permissions on an Active Directory object

   To identify the access control entries (ACEs) in the ACL of the specified target that contain permissions that meet the specified criteria for a specific security principal (listed in the Who pane), click on the security principal. When you do so, all ACEs in the target object's ACL that contain such permissions, will be displayed in the What pane.

   
   

   B - If you selected the report Who has what permissions in an Active Directory tree

   To find out where a specific security principal (that is listed in the Who pane) has permissions in the specified scope that meet the specified criteria, click on the security principal. When you do so, the list of all objects in the specified scope in whose ACL the selected security principal has permissions that meet the specified criteria, will be displayed in the Where pane.

   Next, to identify the access control entries (ACEs) in the ACL of a specific object (listed in the Where pane) that contain permissions that meet the specified criteria for a selected security principal, click on that object (that is listed and visible) in the Where pane. When you do so, all ACEs in that selected object's ACL that contain such permissions for the selected security principal, will be displayed in the What pane.

6. Exporting Results

Gold Finger also makes exporting the complete set of results, i.e. the Who, the Where and the What, as easy as touching a button, as described below -

1. Exporting Results

   To export the results of a report, simply click the Export button once. When you do so, Gold Finger will generate a CSV file containing the entire data set, and prompt you to specify a location at which to save the file.

   The data in the CSV file is logically compartmentalized into the aforementioned four sections, and is fully sortable.

   In addition, the contents of each pane, i.e. the Who, Where and What panes, can also be individually exported. To export the contents of a specific pane, simply right-click anywhere in the pane, and select the Export option.

7. Using Basic Options

Gold Finger offers two options that can be used to target specific domain controllers and/or use alternate credentials, (and a third basic option that impacts the aesthetics of the Run button, traditionally known as the Gold Finger button,) accessible via the Options > Basic Options application menu -

1. Target a specific Domain Controller

   Gold Finger can be configured to target a specific domain controller (DC). If this option is checked, Gold Finger will only target the DC specified in the DC Name field. The specified name of a DC must be its NetBIOS name.

   Note - The only requirement is that the specified DC must belong to the target domain and it must also be a Global Catalog.




2. Use specific Alternate Credentials

   Gold Finger can also be configured to use alternate credentials. If this option is checked, Gold Finger will use the specified alternate credentials. The specified username must be in the form a UPN e.g. administrator@corp.local.

   Note - By default, Gold Finger uses the security context of the (logged-on) user account that is currently using Gold Finger.

   
   

3. Use contemporary 'Run' Button

   This option controls the aesthetics of the Run button. If this option is checked (default), the Run button sports a contemporary look. If it is unchecked, the Run button retains its traditional look i.e. the iconic Gold Finger button.

8. Using Advanced Options

Gold Finger offers five advanced options for the Permissions Analyzer tool, accessible via the Options > Advanced Options application menu -