Gold Finger 5.0 Review - Incredibly Powerful, Unique

Last year I had evaluated Gold Finger 4.0, a security tool for Active Directory security from a Microsoft partner, Paramount Defenses. Earlier this week, I received an email informing me about the availability of a new version, 5.0, so I checked it out. This is my review of Gold Finger 5.0 -


My Verdict– The Most Capable Active Directory Security Analysis Tool Out There


Over the years, I've tried many Active Directory tools to solve various problems, including many Microsoft utilities and many 3rd party tools. in my experience, a good tool is one that can help me solve my difficult problems and is easy to use, reliable and trustworthy. In that regard, of the many tools I've tried, Gold Finger 5.0 is certainly the most capable tool I've tried.

Here’s Why –

Q. What is one of the biggest challenges we all face when managing Active Directory?

At any given point in time, trying to find out who has what access, effective-access and delegated-access in our Active Directory deployments, given it's ocean of permissions.

Here's the difference between access, effective-access and delegated access –
  • Access – Who has what permissions, where, which ones & how.
  • Effective-Access - Who has what effective-permissions on an AD object .
  • Delegated-Access - Who is delegated which admin tasks where in an AD tree.

Without answers to these 3 basic questions, it is very difficult to secure Active Directory.

It turns our that these 3 problems are very difficult to solve, because of 3 main reasons –
  • The problem size is large, anywhere from 100 to 100K objects in an AD
  • Permissions can be changed by many administrators, anytime
  • AD's security model is complicated, making analysis very difficult. 

It is no wonder that while there are many AD tools available today that can help with basic reporting, there are no tools available that can actually provide the insight we all need into the oceans of permissions in our Active Directory, to find out who has what access, what effective-access and what delegated-access.


This Tool Can

In my opinion, Gold Finger 5.0 unique capabilities seem to set a new bar for Active Directory security tools -
  1. Customized Active Directory Security Reports
  2. Complete Nested Group Membership Reports
  3. A Unique, Powerful Detailed ACL Viewer
  4. A Bulk (Tree-wide) Active Directory ACL Exporter
  5. A Powerful Active Directory Permissions Analyzer
  6. An Accurate Effective Permissions Analyzer
  7. A Per-Object Effective Delegated Access Analyzer
  8. A Tree-wide Effective Delegated Access Analyzer 
The availability of these Active Directory security capabilities in a single tool delivers immense power, because it lets you find out exactly who has what power in Active Directory.

Although the first two capabilities are available in many tools, capabilities 3 – 8 build on each other, and the information this tool lets you gather and analyze is very valuable.

You can analyze the ACL of any AD object, export it, find out who has what effective permissions on it, and who is delegated what tasks on it, automatically.

You can also export the ACLs of all AD objects in any tree (e.g. OU, container or domain), find out who has what permissions, where in the tree, and how, and also find out exactly who is delegated what tasks in the tree, where and how, automatically.

To be able to do all this takes a lot of effort and time. To make it so easy, is extremely difficult, and in my opinion, this may very well be why its endorsed by Microsoft.

There are also some nice-to-have features like the ability to bind to a specific domain controller, the ability to customize any security report with an LDAP filter, the ability to create your own LDAP custom filter library, the ability to use alternate credentials to bind to AD, and the ability to generate custom PDF reports (i.e. with a custom title, heading, fields and a logo.)


Gold Finger 5.0 Demo

There are way too many capabilities and features in the tool for me to review, so I’m just going to share a demo that I found on YouTube with you, and a few helpful links I found.



Snapshots and Demos -

Personally, as a techie, I've always found snapshots and demos to be quite telling, so I looked around and found a few and demos -
  1. A set of demos and snapshots
  2. A list of technical capabilities

Summary

It seems to me that a lot of thought went into making this tool valuable for AD admins. From its capabilities to the available options, they seem to have gotten the tool right this time around. Its sort of like the like the iPhone of AD tools - innovative, valuable, yet so simple to use, you'd wonder why no one thought of making it until now.

All in all, quite impressed.


DISCLAIMER:  This is just my opinion. I suggest forming your own opinion based on your own experience. I believe they still give out free 21-days trials. (I got mine in a few minutes.)

+ Pros:  Its really useful capabilities, Effective Permissions analyzer, being #1 on my list

- Cons:  Some features from 4.0, like Scope Exclusion, seem to have been removed


Summary: In summary, Gold Finger 5.0 is a highly capable Active Directory Audit Tool , and it features numerous unique capabilities such as fully-automated Active Directory delegated access / delegation reports, and is the only accurate Active Directory Effective Permissions Tool I have found thus far.

Account Lockout Status (LockoutStatus.exe)

ADFind is a helpful Active Directory search utility that you can use to query the Active Directory. It is developed by Joe Richards, an IT admin who is also a Microsoft MVP who runs ActiveDir.org.

It can be used to query the Active Directory for user accounts, groups, OUs, containers, Schema elements and other resources based on a variety of advanced search criteria. It is a command-line tool and once you have learnt its command line options, it is rather easy to use.


ADFind is a helpful AD search tool and it runs on numerous operating systems ranging from Windows XP to Windows Server 2008. Although LDP.exe can do everything ADFind can, the advantage of AdFind is that it can be run from the command-line. The only noticeable downside is that it is not supported.

Although ADFind is free, and thats good, its not supported, so one can tend to get stuck on one's own, especially when encountering issues, and the only downside of that is that it sucks up time.

+ Pros: Free, Command-line, Can be used for most advanced LDAP querying and reporting as long as you know LDAP, Portable

- Cons: Unsupported, No advanced reports such as True-Last-Logon etc., Not sure how secure it is, or if it is signed.
 
Summary: AdFind is a very good and useful command-line AD reporting tool and can be used to generate numerous basic reports. It falls short in terms of being able to fulfill advanced needs though, such as in helping admins audit Active Directory access correctly.

AloInfo.exe

AloInfo.exe is a free command-line tool provided by Microsoft that can be used to determine the password age of all domain user accounts in an Active Directory domain.


This can be helpful in situations where you’re trying to obtain a list of all domain user accounts whose password might be about to expire, perhaps to inform them, or to take some other administrative action, or to troubleshoot frequent account lockout issues.

The tool is rather easy to use, and the following is its usage -

aloinfo /expires /server:<Domain_Controller_Name>

Interestingly, one other use of this tool is that it can be used to obtain a list of all local services and startup account information for a user who is currently logged on.

On a related note, if you're looking for a tool that can provide a wealth of information related to passwords, last-logon time-stamps, account expirations, staleness, failed password logons, account creation, change and deletion dates, etc., then its worth looking at this Active Directory reporting tool.

+Pros: Free, Can be pointed at a specific Domain Controller, Can help identify accounts whose password might be about to expire

-Cons: Provides console output, Can’t generate presentable reports, No CSV output

Download Point: You can download AloInfo.exe from here.

Summary: Aloinfo is a helpful tool that is designed for a specific purpose. As a reporting tool, it fulfills its intended design goals well, but account lockout and related information can also be obtained with the help of scripts or other free tools such as adfind.

Active Directory Administrative Center

Active Directory Administrative Center is essentially the new administration interface for Active Directory that provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI).


Active Directory Administrative Center

It comes standard with Windows Server 2008 R2 and it can be used to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation. It is meant to be the replacement of Active Directory Users and Computer (ADU&C) Snap-In and it certainly offers an enhanced management experience for IT administrators.

It can be used to manage domain user and computer accounts, domain security groups and of course Organizational Units and containers. It can also be used to filter data by using query-building search.

One of the key benefits of the Active Directory Administrative Center is that it can be used to manage objects across multiple domains, as long as they belong to the same Active Directory forest, or there exists a trust path between the local and the target domain.

One neat new feature of the Active Directory Administrative Center is the breadcrumb bar, which can be used to directly enter the location of a specific Active Directory object, so that you can directly navigate to that object.

Another neat feature is that it can be used to query the Active Directory based on richer criteria, such as the to find a list of locked user accounts. It however falls short in providing accurate information on last logons, as it does NOT query each DC, but instead relies on the approximation method which is based on the lastLogonTimeStamp attribute.

Although Active Directory Administrative Center is not big on reports, I have found that when you compliment it with a dedicated Active Directory reporting tool, you can have a complete (well almost) Active Directory management and reporting solution at your disposal.


You can open the Active Directory Administrative Center is one of two ways - you can either click Start, then select Administrative Tools, then click on Active Directory Administrative Center, or you can click Start, then click Run, and then type dsac.exe.

It however can currently only run on running the Windows Server 2008 R2 operating system (and on Windows 7 clients using (RSAT)), and it cannot be used to manage Active Directory Lightweight Directory Services (AD LDS) instances and configuration sets.

It is not without its downsides however in that it cannot be used to generate pretty printed reports which might be needed for security audits and compliance reporting, as the best one can do is perhaps export to CSV.

Also, because under the hood Active Directory Administrative Center, It is powered by PowerShell, and so while it is certainly more powerful than the its predecessor, the Active Directory Users and Computer MMC Snap-In, it can be sluggish at time.

+ Pros: Free, Offers Multi-domain Active Directory data management, provides basic Active Directory querying capabilities, enables instant navigation to an Active Directory object, Can generate simple account management type reports


- Cons: Limited in its ability to generate custom (advanced) IT management and security reports (e.g. True Last Logons etc), Currently only runs on Windows Server 2008 R2 and Windows 7 (using RSAT), Relies on PowerShell

Download Point: Ships along with Windows Server 2008 R2, so will be automatically available when you DCPROMO the Windows Server 2008 R2 machine. Alternatively, you can download and install the Remote Server Administration Tools (RSAT) on a Windows Server 2008 R2 server or a Windows 7 machine. Alternatively, you can download it from here.

Summary: In summary, the Active Directory Administrative Center is the first major revision to the Active Directory data management tools since the initial release of Active Directory way back in 2000. It certainly offers numerous visual and capability enhancements, but is neither intended to and cannot replace the need for a dedicated/professional-grade Active Directory audit tool

Free / Useful Active Directory (AD) Reporting Tools

This is a blog on Free as well as useful Active Directory Reporting Tools. It covers some Active Directory reporting tools that are free and others that are not free but very useful as well. These Active Directory tools can help IT administrators and Network Engineers in day-to-day Active Directory management and reporting.

Active Directory reporting is an integral component of Active Directory maangement so it is my hope that my research on these tools will help fellow IT admins make their jobs easier. If you have any questions about any of the Active Directory reporting tools I have researched here, please drop me a comment and I will do my best to answer any questions you may have.

Thanks for stopping by. If you like any of my reviews, and have a blog of your own, you are welcome to add a link to my little blog from your blog. Thank you for your support.

- Marc.

The free/useful Active Directory Reporting Tools covered on this blog can be fulfill a variety of needs, such as to audit inactive user accounts in Active Directory, obtain account lockout status information with an Account Lockout Status Tool, enumerate list of OUs and containers, and easily view Active Directory ACLs.

ADFind

ADFind is a helpful Active Directory search utility that you can use to query the Active Directory. It is developed by Joe Richards, an IT admin who is also a Microsoft MVP who runs ActiveDir.org.

It can be used to query the Active Directory for user accounts, groups, OUs, containers, Schema elements and other resources based on a variety of advanced search criteria. It is a command-line tool and once you have learnt its command line options, it is rather easy to use.


ADFind is a helpful AD search tool and it runs on numerous operating systems ranging from Windows XP to Windows Server 2008. Although LDP.exe can do everything ADFind can, the advantage of AdFind is that it can be run from the command-line. The only noticeable downside is that it is not supported.

Although ADFind is free, and thats good, its not supported, so one can tend to get stuck on one's own, especially when encountering issues, and the only downside of that is that it sucks up time.

+ Pros: Free, Command-line, Can be used for most advanced LDAP querying and reporting as long as you know LDAP, Portable

- Cons: Unsupported, No advanced reports such as True-Last-Logon etc., Not sure how secure it is, or if it is signed.
 
Summary: AdFind is a very good and useful command-line AD reporting tool and can be used to generate numerous basic reports. It falls short in terms of being able to fulfill advanced needs though, such as in helping admins audit Active Directory access correctly.

Windows Powershell

The Windows Powershell from Microsoft is a free extensible automation engine from Microsoft, consisting of a command-line shell and associated scripting language.

It is NOT (repeat it is not) a TOOL.

It is an automation engine that relies on the Microsoft .NET Framework and involves the execution of cmdlets which are basically specialized .NET classes which implement specific operations.

It can however be used to perform a variety of functions on the Windows Platform. It can also be used to query data from Active Directory and to perform common day-to-day aspects of AD management.



One advantage of using Powershell is that it makes it easy for IT admins to derive greater value out of their efforts in scripting so they can automate (at least parts of) common day-to-day IT management and reporting tasks. It also lets IT admins leverage the work of other admins as these scripts can be shared with the community.

The disadvantage of PowerShell is that it relies largely on the development of scripts and even though it makes it easier to derive greater value from scripts, it certainly leaves the possibility of human error. It also takes additional effort to generate reports that are in a presentable fashion and decent enough for submission for any audit or as regulatory compliance evidence.

In my research, I have found that the disadvantages of PowerShell can be made up with a good Active Directory Audit/Reporting Tool. However, there are many Active Directory reporting tools out there and it is difficult to select one that's right for you. In case it helps, I've found the best collection of Active Directory security tools here.

+ Pros: Free, Can be used to simply day-to-day IT management tasks and perform basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon), Relies on scripts which can be prone to human-error, Relies on executing code written by someone else in a trusted environment

# Download Point: To install Powershell, you need to download and install the Windows Powershell Installation Package

Summary: PowerShell for Windows is very powerful and certainly help automate basic Active Directory reporting needs. However, there are still some things that are very difficult to do with PowerShell, such as how to correctly audit Active Directory permissions.

dsacls

DsAcls is a free command-line utility provided by Microsoft that can be used to view and change security permissions on Active Directory objects.


dsacls

For all practical purposes, it is the command-line equivalent of the Security tab in the Properties dialog box for an Active Directory object in Active Directory tools, such as Active Directory Users and Computers.

It can be used to view the DACL of any Active Directory object. It can also be used to add a new permission or remove an existing permission from an Active Directory object. dsacls is a very useful tool because it can also be manage Active Directory security permissions from a command-line.

One of the capabilities of dsacls is the ability to view effective permissions in Active Directory. AD effective permissions are very important for Active Directory security, because they help determine who actually has what delegated access rights on important Active Directory objects.

However, I have found that it is unable to accurately determine AD effective permissions which unfortunately makes it difficult to rely upon. Upon some research I found that Active Directory Effective Permissions display incorrect information and are thus cannot be relied upon.


+ Pros: Free, Can be used to view and modify the security permissions on a single Active Directory object

- Cons: Cannot be used to identify where all a user/group might have permissions in Active Directory, plus its effective permissions capability yields incorrect results.

Download Point: dsacls can be downloaded from here.

Summary: dsacls is a powerful command-line tool that can help view and dump/export Active Directory permissions/ACLs. It is free however, and supported by Microsoft. Once you know how to use it well, it can also be used to analyze Active Directory permissions, although not as well as one could with a professional-grade Active Directory Permissions Analyzer.

dsrevoke

Dsrevoke is a command-line tool that can be used to identify the location of all permissions that may be specified for a specific user or group in a domain. It can also be used to remove all permissions specified for a particular user or group on OU objects as long as they are explicit in nature.



dsrevoke
It is was primarily provided by Microsoft to complement the functionality provided by Microsoft's Delegation of Control Wizard, which can be accessed from the Microsoft Active Directory Users and Computers (ADU&C) Snap-in and which is used to delegate administrative authority.

dsrevoke complements ADU&C by providing the ability to revoke delegated administrative authority.

+ Pros: Free, Can be used to find out where all a user or group has permissions specified in AD OUs

- Cons: Severely limited in its ability to find out where else a user/group has permissions, and/or identify where all a user/group has what type of permissions

Download Point: dsrevoke can be downloaded from here.

Tip: Although dsrevoke can be used to view Active Directory inherited/delegated permissions, if you're looking to do any kind of serious permissions analysis, checkout Microsoft's acldiag tool.

LDP.exe for Active Directory

Microsoft also provides a free Windows 2000 Support Tools utility called LDP.exe which can be used to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory for specific information given specific search criteria.

LDP can be used to perform advanced LDAP queries against Active Directory, use a variety of LDAP controls, specify advanced connection, binding and search result options and view objects, object meta-data and raw Security Descriptors as well.


LDP
One advantage of LDP is that it is a standards-compliant Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.

LDP can be used to specify and execute any valid LDAP query and thus generate reports which are more advanced than those generated via the standard Administrative MMC tools provided by Microsoft Windows Server. It can be used to generate advanced time-based reports as well but it requires you to specify all the technical details in LDAP parlance, which can make it a little cumbersome unless you're adept at writing LDAP queries and performing 64-bit time value conversions etc.

Tip: I first looked for ldp in the hope of being able to find which users have restricted logon hours specified in our AD. Unfortunately, I could not do so with LDP, since analyzing logon-hours takes a bit more work.

All in all, its a good tool to have and use if you want to look under the hood of your Active Directory. Another helpful tool to consider if you need to perform advanced AD security analysis is this one.

+ Pros: Free, Can be used for advanced LDAP querying and basic AD reporting

- Cons: Limited in its ability to generate custom IT management and security reports (e.g. True Last Logon)

Download: ldp.exe is a part of the Windows Server 2003 Service Pack 2 32-bit Support Tools set and can be downloaded from here.

Standard Microsoft Active Directory Management Tools (Active Directory Users and Computers)

Microsoft Windows Server ships with a standard set of Microsoft Management Console (MMC) Snap-Ins that can be used to manage various aspects of Active Directory, including managing your OU hierarchy, implement your delegation model, and create, modify and manage the life-cycle of user accounts and security groups.

  

Active Directory Users and Computers

There are four MMC Snap-Ins that can help you manage various aspects of AD -

  1. Active Directory Users and Computers Snap-In - This MMC snap-in, also know as ADU&C is the main tool used to create and manage your Active Directory hierarchy, create and delete OUs and Containers, and create and manager user accounts, security groups and other IT resources.
  2.  Active Directory Domains and Trusts Snap-In - This snap-in is used to establish, configure and manage trust relationships between various domains and forests. You can use it to create short-cut trust relationships, external trust relationships, and cross-forest trust-relationships as well.
  3.  Active Directory Sites and Services Snap-In - This snap--in is used to define, configure and maintain Active Directory sites, subnets, site-to-subnet mappings and perform other tasks related to site and subnet management.
  4.  ADSIEdit.msc - This is a special and very handy snap-in that can be used to access and edit all attributes of all objects in Active Directory. It is particularly helpful if you wish to make modification to uncommon attributes, and or create a new object of any of the classes defined in the Schema.
If you're an IT administrator responsible for AD management, then you probably already know about the common set of administrative tools that ship with Windows Server, but nonetheless, thought of mentioning them here for anyone starting out in AD administration.

+ Pros: Free, Come with Windows, Can be used for AD management, Good for Basic Search and Reporting

- Cons: Very limited in their ability to generate advanced and/or custom management and security reports

# Download Point: To install these tools, you need to download and install the Windows Server 2003 Administration Tools Pack, which I believe can be found here.