Gold Finger

Common Elements

1. Inbuilt Search

Gold Finger features a versatile inbuilt search utility that makes it really easy to locate Active Directory objects and determine their distinguished name (DN), as an object's DN is needed to be able to specify scopes in Gold Finger.

To access the search utility, click the Search Utility button located to the right of the Scope field.

In the utility, enact the following steps to locate an Active Directory object -

1. Select a domain - Use the Select Domain dropdown to select a domain to search.

Note - To locate objects in the Schema or Configuration partitions, select the forest root domain, then change the D to S or C accordingly.

2. Select an object type - Next, use the Select Object Type dropdown to select the object type you wish to search for.

Note - The utility can locate objects of various classes such as domain user accounts, computer accounts, security groups, OUs etc.

3. Select search criteria - Next, use the Select Search Criteria dropdown to select the search criteria for your search.

4. Specify a criteria value - Next, specify a value for the Specify Criteria Value field.

Example - If searching for user accounts by Title, you can enter CEO or C*O or just * as the criteria value.

5. Click a button - Finally, click the Search button to execute your search.

Upon completion, search results will be displayed in the Search Results pane. Review the results to locate the Active Directory object of interest to you. When found, click on it to select it, then click the OK button to exit the search utility.

Gold Finger will return to the main tooling and auto-populate the Scope field in it with the DN of the selected object.

2. Scope Options

There are four tools in the Gold Finger Suite that allow custom scope options to be set to customize a report's scope - Security Auditor, ACL Analyzer and Exporter, Permissions Analyzer and Privilege Escalation Path Identifier

In these tools, scope options can be accessed by clicking the Scope Options button located next to the Search Utility.

The following scope options can be configured in the Scope Options dialog -

1. Scope Span - The scope of a report can include the entire Sub-Tree rooted at the object specified in the Scope field (default), or be restricted to One-Level depth relative to the same root, or confined to the root object (Base).

2. N-Level Restriction - The scope of a report can include the entire Sub-Tree rooted at the object specified in the Scope field, or it could be restricted to a depth of a specified level from the root, as configured in this parameter.

3. Use custom LDAP filter - The scope of a report can be further fine-tuned or constrained to including only those Active Directory objects that meet the criteria governed by a custom LDAP filter that is specified in the Filter field.

Note - When using the Security Auditor tool, the tool expects and requires a partial filter, e.g. (title=c*o) for a user account management report. All other tools (listed above) that offer Scope Options (, and report #100 of the Security Auditor tool (as an exception)), expect and require a complete LDAP filter is required, e.g. (&(objectCategory=person)(objectClass=user)(title=c*o))

Scope options can be very helpful in confining the scope of a report to a desired set of objects in Active Directory, and when used effectively, they can substantially reduce the assessment time involved in generating a Gold Finger report.