Active Directory Permissions: Tutorial & Best Practice Guide

Active Directory is the foundation of Windows networks, allowing admins to manage users, devices, groups and security policies. As such, your AD is essential to governing access to IT resources. In this guide, you will learn all there is to know about Active Directory permissions, including how to set, list, review and remove them.

What Are Active Directory Permissions?

You can think of Active Directory as a database that keeps track of all the components in a Windows network: user accounts, computers, devices, file servers and so on. However, instead of storing all these objects in a single list, AD allows you to manage their relationship in a hierarchical structure. For example, you can add multiple users to a security group and then provide that group access to a specific folder.

As the foundation for user management in Windows environments, Active Directory also plays a critical role in determining who can access files, folders and applications. Active Directory can be used to manage all sorts of permissions, from NTFS permissions on file servers to share permissions on network shares. Even access to third-party applications can be administered through AD group membership. As a result, understanding how to assign, check and revoke Active Directory permissions is an important skill for any admin.

While Active Directory security groups are essential to permission management, organizational units are equally important in order to apply group policy objects to the correct users and devices.

How Do Active Directory Permissions Work?

In order to determine whether a user is allowed to access an object, Windows checks their account’s security identifier (SID) against the object’s access control list (ACL). Effectively, the ACL is a list of users, groups and their permissions on the specified object (read, modify, full access, etc.). The ACL can also be used to deny users access. Deny permissions are written to the beginning of the ACL and take precedence over later entries. I.e. if a user is denied access and granted access, they are denied access overall.

There are two more important concepts you need to understand in order to manage Active Directory permissions:

  • Permission inheritance: By default, permissions in Windows networks propagate from parent objects to child objects. For example, if a user is given access to a folder, they also receive access to its files and subfolders. Likewise, if you assign a permission to an Active Directory group, any nested groups within it receive the same permission. Inheritance makes permission management a lot easier by allowing you to focus on top-level settings, but it can also lead to mistakes and unintended access.

  • Permission precedence: Inherited and explicit permissions can sometimes lead to permission conflicts. In this case, explicit permissions take precedence over inherited permissions and deny permissions take precedence over allow permissions. For example, if a user inherits “Deny Read” on a folder, but you assign “Allow Read” directly, it will take priority. If you then add an explicit deny permission, it blocks the explicit allow permission.

How to Set Active Directory Permissions

Active Directory permissions are managed through Active Directory Users and Computers (ADUC), a snap-in for the Microsoft Management Console/Active Directory Server Manager used to manage AD users, groups and organizational units. To edit an object’s permissions through Active Directory Users and Computers, all you have to do is:

  1. Select the object whose permissions you want to edit

  2. Right-click on it and open its Properties

  3. Switch to the Security tab

  4. Choose the permissions you want to assign for different groups and users

Note: Take care to always follow best practices for AD permissions, or your access landscape will quickly descend into chaos. You should manage AD permissions through groups only, set as few explicit permissions as possible and adhere to Microsoft’s AGDLP principle.

How to View Active Directory Permissions

You can follow the same steps in Active Directory Users and Computers to see which permissions a user or object currently holds. Simply select the object you want to examine, right-click on it, click on Properties and then switch to the Security tab. Here you can see the permission levels held by different Active Directory users and groups.

Types of Active Directory Permissions

In Active Directory, there are three basic permission types:

  • Read: Allows viewing files and their properties

  • Write: Allows editing and deleting files

  • Full Control: Allows viewing, editing and deleting files as well as modifying settings

Alongside these basic permissions, AD also has a set of special permissions that can be found in the Advanced settings of the Security tab. Special permissions provide more granular control by offering individual options like “delete”, “modify owner” or “modify permissions”.

Best Practices for Active Directory Permissions

If you’ve followed our guide, you are now familiar with Active Directory Users and Computers, the tool that allows you to create AD groups and assign permissions. But knowing how to modify an object in AD is not the same as knowing how to manage permissions effectively. After all, there is a difference between knowing how to lay a single brick and knowing how to build a whole house.

So, how do you actually manage Active Directory permissions? That’s what you will learn in this section. While the exact settings, groups and privileges you need depend on the structure and access requirements of your organization, there are a some important best practices you need to familiarize yourself with. You will find them listed here.

1

Always Use Groups

You should never assign AD permissions directly to a user. Managing individual permissions for every account creates a huge mess where admins quickly lose track of privileges they have granted to various people. Instead, group users together based on their business role and provide that group with the access rights its members need.

But be careful: Don’t assign permissions directly to the group that holds all your users. The issue here is that you won’t be able to tell which permissions the group includes because Windows doesn’t provide you with a list. Instead, create dedicated security groups for each permission you want to add, give each group a name that shows which permission it controls and then add your user group to these permission groups. This way, you will have a list of group memberships that tells you exactly which resources the group can access.

What we have described here are the fundamentals of the AGDLP principle, Microsoft’s recommended strategy for implementing role-based access control in Windows networks. Following the AGDLP approach helps you manage access more efficiently, but requires admins to stick to same group structure and naming conventions.

Whitepaper

Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

2

Understand Permission Inheritance

Under normal circumstances, objects in Active Directory inherit permissions from above and pass them on below. Understanding how permission inheritance works and how to manage it effectively is a key skill for AD admins. Used correctly, permission inheritance is your biggest ally in permission management. It allows you to focus on high-level decisions and to let the results trickle down to nested objects and folders.

However, inheritance can also lead to unwanted access if files are placed in the wrong location, for example. The best way to avoid mistakes is to design your AD to make full use of inheritance. You can also restrict or deny permission inheritance on individual objects, but try to avoid breaking inheritance whenever possible. It makes it difficult to keep track of which privileges are passed down and which aren’t.

3

Follow a Clear Structure

From user access to organizational units and group policy objects, managing your AD becomes a lot easier if you follow a well thought-out design that helps you limit exceptions and special cases. A clear, hierarchical structure ensures that inheritance is maintained, settings are applied as intended and admins can easily tell who has access based on the folder structure and naming conventions.

Of course, maintaining a logical AD structure is easier said than done. It takes discipline and diligence to keep your AD clean and orderly. Admins must all follow the same approach to groups and permissions. And they need to keep users under control at the same time, limiting who can add new folders in root directories, for example.

4

Ensure Least Privilege Access

Managing Active Directory permissions serves two purposes:

  • 1

    Ensuring that users can access the resources they need

  • 2

    Ensuring that users cannot access resources they don’t need

Both halves of AD permission management are equally important: The only way your employees can do their jobs is if you provide the right privileges. At the same time, restricting access is essential to preventing sensitive data from falling in the wrong hands – whether it’s through compromised accounts, insider threats, cyberattacks or employee data theft.

Maintaining productivity and effective cybersecurity requires the right balance, which is what the principle of least privilege is all about: Give your users all the privileges they need, remove any they don’t. In practice, least privilege access requires a methodical approach to user provisioning and de-provisioning – this can be achieved through role-based access control – as well as regular audits or user access reviews to ensure no unnecessary permissions pile up.

Least privilege access is a key component of many security standards and regulations, including NIST CSF, ISO 27001, the GDPR and the NIS2 directive.

The Problem With Active Directory Permissions

The biggest challenge with Active Directory permissions is that even if you know how to manage individual permissions and understand the best practices for administering AD privileges safely and efficiently, putting it all into practice is a lot of work. Following the AGDLP framework, for example, makes it easier to provision new users, but still requires you to create a ton of security and permission groups.

To make matters worse, the default tools provided by Microsoft are often not up to the task of managing AD permissions effectively. Permission reporting is one of the biggest pain points for admins here, with Microsoft offering no straightforward way to track user and item level permissions – especially if you’re dealing with large user counts or complex network structures.

Integrating Active Directory and Azure AD

With most organizations relying on Microsoft 365 apps like Teams, SharePoint and OneDrive, integrating your existing domain with Azure AD adds another wrinkle to Active Directory Permission management. It’s no longer enough to control local resources, you also need to provide users with the right cloud apps and online identities. And of course, ideally you want to combine and automate as many of these permission management workflows as possible.

Microsoft offers a range of utilities that help connect local AD domains to Azure AD, but again, these tools often leave something to be desired. From functional limitations to odd quirks, the options you have for managing hybrid environments are less than ideal. Not to mention that you’re still left with the question of how to best manage user privileges in third-party applications like business software. It’s enough to make you wonder: Isn’t there a way to manage all users and permissions through a single platform? Well yes, there is.

Central, Automated Permission Management with tenfold

Identity and access management solutions provide you with a central, automated hub for administering permissions across your entire IT infrastructure. IAM platforms make it easy to provide your users with the correct privileges, update and revoke access automatically or conduct permission audits.

However, conventional IAM solutions are often difficult to set up due to the amount of custom programming required to connect them to other systems. In order to manage permissions in Active Directory, Azure AD and other applications, organizations first have to craft the necessary workflows, data imports and approval processes from scratch. This makes traditional IAM solutions overly complex and difficult to use.

But not tenfold: Our no-code IAM solution comes with out-of-the-box support for key IT systems like Active Directory and Azure AD. The prebuilt plugins tenfold ships with make it easy to connect to any application – all you need to do is tweak a few settings through our no-code UI. Thanks to this user-friendly approach, tenfold can be fully implemented in just a few weeks, a fraction of the time needed to configure similar solutions. Learn more about the advantages of tenfold by reading our free IAM comparison.

White paper

Identity & Access Management Solutions Compared

Our white paper will help you navigate the IAM market, familiarize you with available products and explain key questions to ask yourself when evaluating IAM solutions.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.