Active Directory Permission Management Explained
Microsoft Windows is to IT departments like yin is to yang: It’s impossible to imagine one without the other. But being joined at the hip doesn’t automatically make the relationship a healthy one – and the widespread use of MS Windows throughout IT departments around the globe is no exception. There are flaws.
For instance, if you try to manage Active Directory groups, NTFS permissions and share permissions using the default Microsoft tool set, chances are you’ll soon be pulling your hair out in frustration. Not only is the process a time-consuming one, it’s also highly prone to errors.
In this article, we are going to discuss what the AGDLP framework means for Active Directory permissions and explore how you can speed up and simplify your Active Directory permission management while, most importantly, keeping everything secure.
Active Directory Permission Management
Between an increase in ransomware attacks, the looming danger of insider threats like employee data theft and growing regulatory pressure from governments and trade groups, the demands on cybersecurity are constantly increasing. There are now numerous laws and regulations demanding that businesses keep precise and constant track of who has access to which resources within their company, including SOX, HIPAA and ISO 27001.
The problem with this demand is that Microsoft, the world’s most widely used OS, offers no adequate reporting tool that would allow organizations to produce an overview of access structures. There is simply no way of seeing (and therefore knowing), at a glance, who in your company has access to critical data.
Active Directory Permissions and AGDLP
Microsoft has developed a concept for managing permissions on file servers called the AGDLP principle. This best practice represents Microsoft’s recommended approach for implementing role-based access control (RBAC) within a Windows domain. The principle dictates that:
(A) Computer and user accounts should be
(G) members of global groups, which represent business roles.
(DL) These global role groups are members of domain local groups, which are maintained for access control
(P) with each group holding a specific permission for a specific resource.
Let’s say you’re an admin and you want to give a person in your company access to a folder. Instead of assigning the permission directly to them, you instead add their account to the appropriate global user group, which is itself a member of the domain local permission group that grants access to the directory in question.
What Is Role-Based Access Control (RBAC)?
Role-based access control is a cybersecurity concept focused on providing safe and appropriate access to all resources in an organization. RBAC ensures that access rights are assigned according to the principle of least privilege: this principle dictates that users should be granted the minimum number of permissions required for their role, as any unnecessary privileges pose a security risk if an account is compromised or misused.
Is AGDLP a Good AD Permission Management Concept?
At first glance, the AGDLP principle solves two common problems you will most definitely encounter when you manage permissions on a file server:
- When you delete a user, you will not be left with an orphaned SID.
- To find out what resources a user has access to, all you have to do as an administrator (in theory) is to check the Active Directory permissions of the user and computer, since (again, in theory) the group the user was assigned to should provide insight as to what folders they have access to.
The Problem with AGDLP: It’s Time-Consuming and Error-Prone
So, in theory, the AGDLP principle is a great approach for Active Directory permission management. However, in practice it’s an entirely different story. The problems begin when admins attempt to implement the AGDLP principle manually. They have to ensure it is applied properly and consistently at all times. In smaller companies with fewer users this is probably doable – if your admin is really committed and meticulous in their approach.
But what about larger companies with hundreds or even thousands of users? How are you going to go about creating and managing all the permission groups needed to follow AGDLP? It’s a daunting task, as you can probably imagine. It’s a) really time-consuming, and b) leads to a lot of mistakes.
And, obviously, the risk of errors increases exponentially the more admins you have and the more branches and locations they have to manage. It’s almost impossible to get your admins on the same page when it comes to things like naming conventions for groups if they are scattered all over the place, possibly not even in the same building. It’s chaos.
Unfortunately, Microsoft has yet to release a state-of-the-art management console that provides a drag-and-drop option for assigning permissions to users.
Active Directory Reporting
Microsoft®’s reporting tools for Active Directory permissions and file server permissions are likewise very limited. Deciphering folder permissions in the AD is technically feasible, but again, very time-consuming. There’s no dashboard that lets you view all permissions in one place. Any information you want or need, you’re going to have to retrieve on your own.
Folder Permission Reporting
To get a folder permission report, you can use a cmdlet in Powershell (learn more about folder permission reporting via Powershell). Another option is the Microsoft tool AccessEnum, which you can use to check the permissions of a user or group on folders or parts of the registry.
The tool not only lists the current permissions, but also tells you which permissions the user was previously denied.
The information provided by AccessEnum is considerably more detailed than the entries in the Access Control List. However, the tool does not provide a substitute for the missing link between the permissions on your file servers and those in Active Directory.
Effective Permission Reporting
While it is possible – albeit time-consuming – to retrieve Active Directory folder permissions, there is simply no way to view the effective permissions a specific user has. The same goes for Active Directory group permissions.
What’s missing here is an instance linking the permissions on file servers to those in Active Directory (or the access control list in the case of NTFS permissions). There’s simply no way to connect the two, let alone provide an overview of how they are linked.
NTFS Permission Reporting
Many admins prefer NTFS permissions over share permissions because NTFS permission settings offer more granular control. Also, NTFS permissions apply both for local access made directly on a PC and network access. (Learn more about the difference between NTFS and share permissions).
As practical as NTFS permissions are for managing user access to file servers, reporting on NTFS permissions is difficult. This is because there is no instance connecting the file server to the Active Directory that would, for example, inform the AD when a user has been granted access to a folder on the file server.
No Connection Between AD and File Servers
Since the AD and file server are not connected to one another, users should never be granted direct access to an object on the file server, but only by being added to AD groups.
If a user is given direct access to a folder instead of using group membership, this permission will not be reflected in the Active Directory. If later this user is deleted from the AD, including all group memberships, this will leave behind an orphaned SID on the folder.
How to Set NTFS Permissions Correctly
As an admin, you can save a lot of time and stress by making sure you set NTFS permissions correctly from the get-go. Read our blog post to learn about NTFS permission best practices and the 5 most common mistakes admins make.
AGDLP Microsoft Best Practices
For a detailed guide on how best to handle permissions in Microsoft environments, download our free best practice white paper and confirm that your organization is applying AGDLP properly.
BUT – if you’re dealing with a very large number of users and/or complex internal access management workflows and processes in your AD and file servers, you might want to think about finding a way to automate those.
Best Practices for Access Management In Microsoft® Environments
An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.
Active Directory Tool: Managing Permissions With tenfold
Our philosophy at tenfold is to keep it simple. That’s why our identity and access management solution makes Active Directory permission management and permission management for file servers extra easy. And the best part: It’s fully automated.
Our product is deeply integrated with Microsoft’s infrastructure and provides both automatic permission management and seamless documentation for compliance purposes, whether on-premises, in the cloud (Microsoft 365) or both!
tenfold Implements AGDLP Principle
One of tenfold’s key features is its Active Directory integration. An intuitive user interface makes it fast and easy to access and manage any AD settings and attributes. As for AGDLP, all it takes to implement the principle is for admins and users to set the desired permission levels and tenfold then automatically takes care of the rest.
Active Directory Permission Reporting: Easy as Pie
Not only does tenfold enable centralized permission management, it also provide centralized reporting. What this means, essentially, is that you can read out any Active Directory permissions (including group permissions and AD folder permissions) with just one click in the tenfold user interface. The software:
extracts the data from file servers and the AD,
breaks down nested structures,
filters irrelevant information and
provides an overview of effective permissions (including historical data, if requested).
Documenting NTFS Permissions
tenfold provides the missing link between file server permissions and the AD structure. With one click, tenfold will give you an overview of Active Directory permissions as well as file server access rights and permissions in Exchange and Sharepoint.
NTFS Reporting Tool
tenfold‘s reporting tools document every change made to users and/or permissions. This means you do not need an additional tool to compile an NTFS permissions report. Instead, all current permissions can be viewed or exported into a clear and concise report.
Increase Efficiency Through Automation
tenfold’s feature palette doesn’t end here though. Not only does it manage your file server and AD permissions – it also allows you to grant permissions across a variety of other systems thanks to its rich third-party support. Applications that are supported through out-of-the-box plugins include SAP ERP, Groupwise, HCL Notes, as well as ticket and help desk systems such as Jira and TOPdesk.
The key to success here is that tenfold acts as a central permission management platform, applying role-based access control to every system. Role-based access control means that resources and permissions from different target systems are grouped and linked to the respective organizational unit. This connection produces roles (commonly referred to as business roles) that hold certain standard permissions.
This approach to user management saves time and is very secure because it allows tenfold to automatically assign default rights and remove them again when user attributes (e.g., department or location) change. This is commonly referred to as user lifecycle management.
Thanks to tenfold’s deep integration with Microsoft and Active Directory, it is able to document every change made to access rights and permissions across your entire organization. Complete and auditable records like these play an important role in meeting compliance regulations like SOX, the GDPR, HIPAA or ISO 27001.
tenfold is the next generation of access management. Our mission is to make user & account management fast, easy and secure for everyone by providing user-friendly solutions to common problems. We want all users, from IT admins to HR, to be able to use tenfold effectively.
What makes tenfold the leading IAM solution for mid-market organizations?