Monday, October 29, 2012

Gold Finger 5.0 Review

Today, I am going to share my review of the Gold Finger 5.0 Active Directory Audit Tool.

I first came across version 2.0 of Gold Finger three years ago. Back then the tool was in its infancy, as opposed to where it is today. The latest version as of today is version 5.0 and in comparison to where the tool was at 3 years ago, I must say that the tool has been improved almost 10x times. I passed on it 3 years ago, but it is definitely #1 on my wish-list now.

Gold Finger for Active Directory - Version 5.0 Review

Gold Finger 5.0 is the latest version available as of today, and its developers seem to have packed some very powerful capabilities in a single tool, all sharing a simple, minimalistic interface -

Gold Finger 5.0 for Active Directory


I suppose the best way to review it is to review its capabilities, which range from basic security reporting to advanced delegated access reports, as listed below -
  1. Active Directory Security Reporter
  2. Active Directory Group Membership Reporter
  3. Active Directory Token Viewer
  4. Active Directory ACL Viewer & ACL Exporter
  5. Active Directory Permissions Analyzer
  6. Active Directory Effective Permissions Analyzer
  7. Active Directory Effective Delegated Access Reporter
In my opinion, this could very well have been 7 different products each, because at least for the first 5 capabilities, I know of products that offer just each one of these capabilities as an entire product. So for a company to have packed 7 of these capabilities into a singe product is rather impressive.

Active Directory Effective Delegated Access Reports

Of course, the core ability of this product is the ability to generate effective delegated access reports, which is a capability I have not seen in any other solution from any other vendor, including several prominent vendors like Microsoft, Hewlett Packard, Quest Software, Symantec, McAfee, CA etc.

Gold Finger 007 Edition - Active Directory Effective Delegated Access Reporter

I suppose this might be because it is actually a well known fact that it is very difficult to generate effective delegated access reports in Active Directory.

This is primarily because it is extremely difficult to automate trying to find out who is delegated what access in Active Directory, given the sheer complexity involved involved in the process, as well as the different ways in which an Active Directory deployment can be configured.

Active Directory True Effective Permissions

In addition, this also happens to be the only tool that can correctly determine effective permissions in Active Directory.

Gold Finger 006 Edition - Active Directory Effective Permissions Analyzer

This capability too is a must-have capability for Active Directory security, and because the effective permissions calculator in Active Directory is admittedly inaccurate, the availability of this capability is a huge win for Active Directory environments because it is virtually impossible to secure any Active Directory deployment without knowing who is provisioned what effective permissions in that deployment.

Active Directory Permission Analyzer

Then, there is the Permissions Analyzer capability, which is one of the best I've seen in a tool. In fact, there are hardly any other tools available that can analyze permissions in Active Directory. (The only one I know of is a free unsupported tool built in Germany called LIZA, which seems more like a hacker's tool than an admin tool, especially given the many warnings on its download page.)

Gold Finger 005 Edition - Active Directory Permissions Analyzer

One of the best aspects of its permissions analyzer capability is that it gives IT admins complete flexibility in being able to specify what kind of permission to search for, and that it can also search for custom Schema elements including customer classes, properties, and permissions. So for example if you have a new custom Active Directory class defined in your Schema, and wish to search for all objects on which someone has Create Child permissions for that object, you can do so very easily.

Active Directory ACL Viewer and ACL Exporter

The ACL Viewer and ACL Exporter capabilities are also quite valuable, in that not only do they let you export/dump all the ACLs of all the objects in any scope of your choice, but they also let you analyze an Active Directory object's ACL in complete detail, by touching a single button.

Gold Finger 004 Edition - Active Directory ACL Viewer and ACL Exporter

One of the unique features of the ACL viewer on this tool is that it can breakdown individual permissions into individual columns, thus letting you sort the entire ACL by a specific permission.

For example, you can use it to instantly identify all ACEs that grant someone Extended Right permissions either individually (e.g. CR) or as a combination of permissions (e.g. RPWPCRLC).

This, in my little opinion, is very helpful when you're trying to identify which ACEs end up granting a specific kind of permission on an Active Directory object.

Windows Access Token Viewer

Its Token Viewer capability is also a first of its kind, and it is the only Windows Security Access Token Viewer I know of or have come across in my research.

Gold Finger 003 - Active Directory and Windows User Access Token Viewer

Like the Effective Permissions capability for Active Directory, this capability too is a must-have capability for Active Directory and Windows Security, because it lets IT administrators see exactly what SIDs what show up in another user's token.

(It is trivial to see what SIDs show up in one's own token, but it is very difficult to see what SIDs show up in another user's token, because the contents of a user's token are dependent on the domain of the user account as well as the domain of the machine onto which the user is logging on.)

Active Directory Group Membership Reporter

Its Group Membership Reporting capabilities also seem to be have been built with two specific usage scenarios in mind, i.e. enumerating all the members of a security group as well as trying to enumerate all the groups to which a user belongs.

Gold Finger 003 Edition - Active Directory Group Membership Reporter

Each of the report membership capabilities also takes nested group memberships into account, as well seemed to have the ability to correctly determine dynamic group memberships as well, such as those of the well-known RIDs Domain Users, Domain Computers etc.

Active Directory Security Audit Reports

Finally, its most basic capability, Security Audit Report generation could very well have been a stand-alone product in itself as well.

Gold Finger 002 Edition - Active Directory Security Audit Reports

I say so because it is a fully-featured security reporter complete with 100 builtin security reports, each of which is customizable via custom LDAP filters, and with the ability to analyze output, export it to a CSV file as as well as generate customizable PDF reports.

Some of these basic reports include true last logon reports as well. Another feature I liked was the ability to use alternate credentials as well as target specific domain controllers which can be helpful in many situations.

Capability Summary

All in all, in terms of capabilities, this tool is truly a powerhouse packed with virtually every Active Directory security analysis capability you could think of or need to analyze, assess and audit Active Directory content. I don't know of a single other tool or even a set of tools combined that deliver the capabailities that this single tool does, all made as easy as touching a button.

The Best Part - Choice

Personally, one of the best aspects of this tool is its licensing model. It is available in seven different editions, numbered 001 through 007, and although that might sound too many or confusing, it in fact is very logical, because each edition offers exactly the number of capabilities as is the edition, and there appears to be an order with 1 for the basic security reporting capability all the way to 7 for the delegated access reporting capability.

Gold Finger Editions Comparison

So for instance, if you interested in a specific capability, and had a budget to meet, you just need to identify the lowest edition that offers that capability, and you can license that edition, so you only pay for what you need. In a way, its like having the choice of being able to buy any one of 7 tools, each a different price-point, and I believe you can also upgrade to a a higher edition at a later point in time.

What Could be Improved

I've used it for almost two weeks now and I can really say that it seems to be very well thought out in many ways. It installs on any domain joined machine in a minute, requires no administrative access or rights to run, no agents to deploy, no SQL server, no services, nothing, and it does almost everything at a button's touch.

They seem to have left very few things to desire, and if I had to be picky, I suppose the only thing I can think of is that I don't think you can schedule report generation or have reports emailed to you.

But in light of the fact that it does in 5 minutes what take me 5 months, i.e. find out and show me exactly who is delegated what access in an entire domain, I suppose I cannot complain.

A Note about the Trial Process

One last thing that caught my attention was the trial process. I requested by trial by filling a simple form on their website, and within an hour, I received a customized download link for my unique customized license, complete with my name, and my company's name in the license.

I was expecting a sales call, but I was quite pleasantly surprised to see that no one bothered me with a phone call. The only email I received was from a technical specialist who said that they won't bother me with a single email or phone call, but if I had any questions, or needed any help, they are just an email away. That I thought was a refreshing change from the usual, wherein, I've seen everything from a call a day to some really smart pushy salesmen trying to sell me stuff I don't need and so on.

Refreshing indeed.


All in all, I was very pleased with Gold Finger. I think it is a must-have tool for any serious Active Directory admin, because it delivers on all the capabilities that are essential for Active Directory Security and yet are missing from Windows Server.

  • Picture Credits Disclaimer - The images used in my review I have taken the liberty to reproduce (copy) from the vendor's website. I wanted to acknowledge the source of any images used in case there are any copyright issues.

Its sheer power is only outdone by the simplicity with which you can use it - being able to find out who is delegated what administrative tasks on all objects in an entire domain at the touch of a button, is undoubtedly very impressive.

If I had to pick one element that struck me most, its that they let you try the tool in any environment to test it and see for yourself just how capable and easy this tool is to use.

To me, that's huge, because that's where the rubber hits the road, so when you can try it in your own production environment in real-time, any doubt in its impressive capabilities is put to rest. I was a bit skeptic before I tried it, because there's no other tool that can touch in terms of its capabilities, but when I tried it, and saw it in action, I became a fan, in awe, in just 10 minutes.

Active Directotry Toolkit

This tool, in my humble opinion, has earned its space in the toolket of every Windows/Active Directory admin, and is a must-have for Active Directory.

If you want to try it out, here's where to get it from -

LDP for Active Directory (LDP.exe)

LDP is a free utility provided by Microsoft for viewing, searching and modifying Active Directory content.
It is provided as a part of the Windows 2000 Support Tools utility and it can be used to perform Lightweight Directory Access Protocol (LDAP) searches against the Active Directory.

Specifically, LDP can be used to perform advanced LDAP queries against Active Directory, use various LDAP controls, as well as specify advanced connection, binding and search result options.
It can also be used to view all the properties of an Active Directory object, as well as view object meta-data and raw Security Descriptors.

One of the biggest advantages of LDP in addition to being free is that it is a standards-compliant Lightweight Directory Access Protocol (LDAP) client that allows users to perform operations (such as connect, bind, search, modify, add, delete) against any LDAP-compatible directory, such as Active Directory.

LDP can also be used to issue and execute any valid LDAP query so it can be used to generate basic reports as long as you can specify the appropriate LDAP filters for the reports you have in mind.
It can also be used to generate advanced time-based reports, such as to identify list of failed logon attemps, account creations and delegations, recent changes etc, but it requires you to specify all the technical details in LDAP parlance, which can make it a little cumbersome unless you're adept at writing LDAP queries and performing 64-bit time value conversions etc.

Its a very helpful tool to have if you want to get under the hood of your Active Directory content and if you want to modify Active Directory content. It can also be used to perform basic Active Directory Security Analysis, but it is not the best tool to perform an Active Directory Security Audit.

Wednesday, June 30, 2010

Active Directory Administrative Center

Active Directory Administrative Center is the new administration interface for Active Directory that provides network administrators with an enhanced Active Directory data management experience and a rich graphical user interface (GUI).

It comes standard with Windows Server 2008 R2 and it can be used to perform common Active Directory object management tasks through both data-driven navigation and task-oriented navigation. It is meant to be the replacement of Active Directory Users and Computer (ADU&C) Snap-In and it certainly offers an enhanced management experience for IT administrators.

It can be used to manage domain user and computer accounts, domain security groups and of course Organizational Units and containers. It can also be used to filter data by using query-building search.

One of the key benefits of the Active Directory Administrative Center is that it can be used to manage objects across multiple domains, as long as they belong to the same Active Directory forest, or there exists a trust path between the local and the target domain.

One neat feature is that it can be used to query the Active Directory based on richer criteria, such as the to find a list of locked user accounts. It however falls short in providing accurate information on last logons, as it does NOT query each DC, but instead relies on the approximation method which is based on the lastLogonTimeStamp attribute.

You can open the Active Directory Administrative Center is one of two ways - you can either click Start, then select Administrative Tools, then click on Active Directory Administrative Center, or you can click Start, then click Run, and then type dsac.exe.

It is not without its downsides however in that it cannot be used to generate pretty printed reports which might be needed for security audits and compliance reporting, as the best one can do is perhaps export to CSV.

Also, because under the hood Active Directory Administrative Center, It is powered by PowerShell, and so while it is certainly more powerful than the its predecessor, the Active Directory Users and Computer MMC Snap-In, it can be sluggish at time.

Friday, June 11, 2010

Windows PowerShell

The Windows Powershell from Microsoft is a free extensible automation engine from Microsoft, consisting of a command-line shell and associated scripting language.

It is an automation engine that relies on the Microsoft .NET Framework and involves the execution of cmdlets which are basically speicialized .NET classes which implement specific operations.

It can however be used to perform a variety of functions on the Windows Platform. It can also be used to query data from Active Directory and to perform common day-to-day aspects of AD management.

One advantge of using Powershell is that it makes it easy for IT admins to derive greater value out of their efforts in scripting so they can automate (at least parts of) common day-to-day IT management and reporting tasks. It also lets IT admins leverage the work of other admins as these scripts can be shared with the community.

The disadvantage of PowerShell is that it relies largely on the development of scripts and even though it makes it easier to derive greater value from scripts, it certainly leaves the possibility of human error. It also takes additional effort to generate reports that are in a presentable fashion and decent enough for submission for any audit or as regulatory compliance evidence.

Wednesday, May 12, 2010

Essential Active Directory Tools

Microsoft's Active Directory technology is central to IT management in Windows Server deployments, and thus its own management is important as well.

With the right tools, Active Directory can be easily and efficiently managed, secured and supported.

There are a lot of tools out there for Active Directory management and reporting, and in this blog, we will share our knowledge of the most helpful and useful tools for Active Directory management with you, and which rightfully and essentially belong in every serious IT admin's toolkit.