Active Directory
Effective Permissions

A Technical Overview

"Active Directory Effective Permissions are the actual resulting set of permissions that a user is effectively allowed on an Active Directory object, based on an accurate consideration of the collective impact of all the security permissions specified in the access control list (ACL) of an Active Directory object."

What are Active Directory Effective Permissions?

What are Active Directory Effective Permissions?

Active Directory is an enterprise directory and identity service and a foundational technology at organizations worldwide.

At and in these organizations, all primary identities (domain user accounts), hosts (domain-joined computers), security groups, and the most powerful privileged accounts and groups, are stored, managed and secured in Active Directory

Each one of these accounts and groups, and in fact everything in Active Directory, is represented as an object in Active Directory, and is secured by an access control list (ACL) that specifies who has what security permissions on the object.

There exist many security permissions in the ACL of each Active Directory object, and each permission allows or denies, explicitly or via inheritance, generic or specific access to a specific user, computer or security group.

The access allowed in one permission to a specific account or group could simultaneously also be denied to the same account or group in another permission, either directly or via group memberships, explicitly or via inheritance.

Consequently, what ultimately determines the acutal access a user has on an Active Directory object are the resulting set of permissions the user is actually granted (i.e. effectively allowed) on the object, in light of accurately considering the collective impact of all the security permissions specified in the ACL of that Active Directory object.

This actual resulting set of permissions on an Active Directory object are called Active Directory Effective Permissions.

Thus, Active Directory Effective Permissions are the actual resulting set of permissions that a user is effectively allowed on an Active Directory object, based on an accurate consideration of the collective impact of all the security permissions specified in the ACL of an Active Directory object.

Active Directory Effective Permissions control everything in Active Directory

What do Active Directory Effective Permissions control?

Active Directory Effective Permissions control who has what access to every single object in Active Directory.

Consequently, they control who can enact most powerful privileged actions in Active Directory, i.e. who can -

  1. Administer, operate and manage Active Directory

  2. Access all credentials (via DCSync) in Active Directory

  3. Control the membership of any/all Active Directory security groups

  4. Reset the passwords of any/all Active Directory user and computer accounts

  5. Modify the access control lists (ACLs) protecting any/all Active Directory objects

  6. Change the ownership of any/all Active Directory objects

  7. Link a GPO to any/all organizational units (OUs), or to the domain root

  8. Create, manage, modify or delete domain user accounts, computer accounts and security groups

  9. Create, manage, modify or severe trust relationships and connections to the Cloud e.g. Microsoft Azure

  10. Modify critical Active Directory operational data in the Active Directory Configuration and Schema partitions


In essence, Active Directory Effective Permissions control just about everything in an organization's Active Directory.

An Example of Active Directory Effective Permissions

An Example of Active Directory Effective Permissions

Active Directory Effective Permissions are perhaps best understood by considering a simple example, as illustrated below.


Consider a domain user account, whose ACL is configured exactly as follows -

  1. Explicit Deny Authenticated Users All Extended Rights

  2. Explicit Allow John Smith Reset Password

  3. Explicit Allow Authenticated Users Read All Properties, Read Control, List Child

  4. Explicit Allow Administrator Full Control


Based on the ACL above, can John Smith reset the password of this account?

If one were to perform simple Active Directory Permissons Analysis, one would errantly conclude that since there is a permission granting John Smith the Reset Password extended right on the object, John Smith can indeed reset the password of this account.

However, if one were to perform Active Directory Effective Permissons Analysis, one would correctly conclude that although there is a permission granting John Smith the Reset Password extended right on this user account, there is also a permission denying Authenticated Users all extended rights on the account, and since John Smith is also an authenticated user, the explicit deny permission will override the explicit allow, and thus in reality, John Smith cannot actually reset the password of this acccount.

This simple example shows us that it is not determining "who has what Active Directory permissions" but in fact determining "who has what Active Directory effective permissions" that is important, and in fact essential for accurately securing Active Directory contents.

Privileged Access in Active Directory

Active Directory Effective Permissions Are Fundamental

Active Directory Effective Permissions control all access to every single object in every single Active Directory domain.


Specifically, it is Active Directory Effective Permissions that control and determine all access, including privileged access, in Active Directory i.e. they determine exactly who can -

  1. Create or delete an object e.g. domain user account, computer account, group, OU etc. in Active Directory

  2. Reset the password of a domain user account in Active Directory

  3. Disable two-factor authentication on a domain user account in Active Directory

  4. Change the membership of a domain security group in Active Directory

  5. Add/remove themselves to/from a domain security group in Active Directory

  6. Modify the access control list (ACL) of an Active Directory object

  7. Change the ownership of an Active Directory object

  8. Link a GPO to an organizational unit (OU) or to the domain root

  9. Create, manage, modify or severe connections to the Cloud e.g. Microsoft Azure

  10. Modify critical Active Directory operational data in the Configuration and Schema partitions


Consequently, Active Directory Effective Permissions are fundamental and paramount for organizational cyber security.

10 Technical Examples of how Active Directory Effective Permissions Control Everything in Active Directory

The following technical examples illustrate how Active Directory Effective Permissions control everything inside Active Directory -

  1. Who can create an object in Active Directory is controlled by who has sufficient Create Child effective permissions to be able to create objects of the target Schema class.

  2. Who can delete an object in Active Directory is controlled by who has sufficient Standard Delete (on object), Delete Child (on parent) or Delete Tree (on any ancestor) effective permissions to be able to delete the target object.

  3. Who can reset the password of a domain user account in Active Directory is controlled by who has sufficient Extended Right - Reset Password (00299570-246d-11d0-a768-00aa006e0529) effective permissions on the domain user account.

  4. Who can disable two-factor authentication on a domain user account in Active Directory is controlled by who has sufficient Write Property - userAccountControl (bf967a68-0de6-11d0-a285-00aa003049e2) effective permissions on the domain user account.

  5. Who can change the membership of a domain security group in Active Directory is controlled by who has sufficient Write Property - member (bf9679c0-0de6-11d0-a285-00aa003049e2) effective permissions on the domain security group.

  6. Who can add/remove themselves to/from a(ny) domain security group in Active Directory is controlled by who has sufficient Validated Write - Add/remove Self as Member (bf9679c0-0de6-11d0-a285-00aa003049e2) effective permissions on the domain security group.

  7. Who can modify the access control list (ACLs) of an Active Directory object is controlled by who has sufficient Modify Permissions effective permissions on the target Active Directory object.

  8. Who can change the ownership of an(y) Active Directory object is controlled by who has sufficient Modify Owner effective permissions on the target Active Directory object.

  9. Who can replicate secrets from the domain is controlled by who has both, sufficient Extended Right - Get Replication Changes (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2) and Extended Right - Get Replication Changes All (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2) effective permissions on the domain-root object.

  10. Who can modify the ACL of the AdminSDHolder object in Active Directory is controlled by who has sufficient Modify Permissions effective permissions on the AdminSDHolder object in the System container.

Note - Operation 7 above can additionally also be enacted by all owners of an Active Directory object. Operation 8 above can additionally also be enacted by all security principals that have the Take Ownership User Right in the domain's default Domain Controllers Policy.


As illustrated by these technical examples, access to literally every object in Active Directory is controlled and determined by who has sufficient effective permissions in Active Directory.

How to determine Active Directory Effective Permissions?

How to determine Active Directory Effective Permissions?

To identify, control, lockdown and secure access in Active Directory and to attain and maintain least-privilege access (LPA), one needs to be able to correctly (accurately) determine effective permissions on Active Directory objects.

Generally speaking, there are 3 options for determining effective permissions in Active Directory -

  1. Use native Microsoft Tooling

    Given their paramount importance, all native Active Directory management tools, such as Active Directory Administrative Center, Active Directory Users and Computers etc. have a tab called Effective Access for the purpose of calculating effective permissions on Active Directory objects.

    One can use this tab to view the effective permissions that a specific user is granted on an Active Directory object. However, in practice and based on experience, its use seems limited as it appears to have a few drawbacks, notably - i) it may not always be entirely (100%) accurate, ii) it can unfortunately only be used to view the effective permissions of one user at a time, iii) it's output is not very intuitive, and iv) it does not seem to be able to help identify which permission in the object's ACL entitles a specific user to an identified effective permission on the object.

  2. Manual calculation

    One can manually determine effective permissions on Active Directory objects, but this can be tedious and time-consuming.

    To do so, one can gain subject matter expertise (technical references provided below) and experience, then make these calculations manually (e.g. using PowerShell), taking into careful consideration all factors that influence access in Active Directory, notably its security model, ACLs, inheritance of permissions, precedence order, conflicting permissions (Allow vs Deny), group membership expansions and nesting etc.

  3. Use Professional Tooling

    One can use professional tooling, commonly known as an "Active Directory Effective Permissions Calculator" to make these determinations. Professional tools are usually not free, but offer the benefit of being purpose-built, capable, and trustworthy, and can save lot of time and effort.

    A basic Google search for an "Active Directory Effective Permissions Calculator" is generally a standard starting point.
Active Directory Security Technical Reference

Technical Reference and Resources

The following technical resources may be helpful towards learning more about Active Directory Security -

  1. Active Directory Domain Services

  2. Active Directory Access Control Model

  3. Active Directory Access Rights

  4. Active Directory Access Control Lists

  5. Active Directory Access Control Entries

  6. Active Directory Extended Rights

  7. Active Directory Validated Writes

  8. Active Directory Property Sets