AD Permissions and ACLs Explained
How Active Directory permissions and Access Control Lists work, common misconfigurations, and how to audit them effectively.
AD Permissions and ACLs Explained
Understanding how permissions work in Active Directory is critical for securing your environment and preventing privilege escalation.
What Are ACLs?
Access Control Lists (ACLs) define who can do what to AD objects. Each object has a Discretionary Access Control List (DACL) that contains Access Control Entries (ACEs).
Each ACE specifies:
- Principal: Who (user, group, or computer)
- Permission: What action (read, write, delete, etc.)
- Object/Property: What attribute or object type
- Allow/Deny: Whether the permission is allowed or denied
Common Permission Types
Generic Permissions: Apply broadly (Full Control, Read, Write, Delete)
Property-Specific Permissions: Apply to specific attributes (Reset Password, Write Member, Write SPN)
Object-Specific Permissions: Apply to specific object types (Create Child, Delete Child)
Dangerous Permissions
GenericAll
Grants all permissions on an object. On a user object, this allows password reset, group membership changes, and attribute modification.
WriteDacl
Allows modifying the ACL itself, enabling attackers to grant themselves additional permissions.
WriteOwner
Allows changing object ownership, which can lead to full control.
GenericWrite
Allows modifying most attributes, including group membership and password-related attributes.
DCSync Rights
Allows replicating password hashes from domain controllers. This is extremely dangerous.
Common Misconfigurations
Authenticated Users with Write Permissions: Too broad, allows any authenticated user to modify objects.
Service Accounts with Excessive Permissions: Service accounts should have least privilege, not generic write or full control.
Groups with Write Permissions on Privileged Groups: Allows adding any member to Domain Admins or other sensitive groups.
Computers with Write Permissions: Computer accounts should not have write permissions on user or group objects.
How to Audit ACLs
- Use PowerShell: Get-Acl and Get-ADObject cmdlets
- Use BloodHound: Visualizes permission relationships and attack paths
- Manual Review: For high-value objects, review ACLs manually
Remediation Steps
- Identify dangerous permissions: Use tools to find GenericAll, WriteDacl, DCSync rights
- Document business need: Understand why permissions exist before removing them
- Remove unnecessary permissions: Apply least privilege principle
- Use groups, not individual accounts: Easier to manage and audit
- Regular reviews: Audit ACLs quarterly or after organizational changes
- Monitor changes: Alert on ACL modifications to sensitive objects
Best Practices
- Least privilege: Grant only the minimum permissions needed
- Use groups: Assign permissions to groups, not individual users
- Document exceptions: If broad permissions are needed, document why
- Regular audits: Review ACLs regularly, especially on privileged objects
- Protect sensitive objects: Use Protected Users group, enable account protection
Related Resources
SMB and LDAP Signing: Why It Matters
Why SMB and LDAP signing are critical for preventing relay attacks and man-in-the-middle attacks in Active Directory environments.
Active Directory Security Hardening & Hygiene Checklist
This Active Directory security hardening and hygiene checklist covers the most common misconfigurations we see during internal penetration tests, giving you a practical way to reduce identity-driven attack chains and domain compromise risk across Active Directory.
GPO Misconfigurations and Risk
Common Group Policy Object misconfigurations that create security risks: overly broad scope, permissive permissions, and legacy policies.
Need this validated in your environment?
Our Active Directory security assessment identifies these issues and provides prioritized remediation guidance.
Learn About AD Security Assessments