6

I understand that both NTFS folders and AD objects use security descriptors and DACL’s to check user/process access MS Learn - How access check works

However, how does the access check resolves ACE’s for nested AD groups? For example:

  • AD group AD-Parent is granted Modify rights on F:\Restrict
  • AD group AD-VIPs is a child of AD-Parent
  • User vip is a member of AD-VIPs

My understanding is that

  • vip security descriptor will have an ACE referring to AD-VIPs and
  • F:Restrict DACL Will have an ACE referring to AD-Parent

How and which process in windows finds the `vip -> AD-VIPs -> AD-Parent’ chain and grants access?

Grasshopper
  • 163
  • 5

2 Answers2

6

During logon/authentication/authorization check, the security group memberships are added to the Privilege Access Certificate (PAC) part of the Kerberos token. This includes nested groups.

When a folder is accessed, the host with the resource (file server in this case) compares the SecurityIdentifiers in the ACL to the SecurityIdentifiers in the PAC of the Kerberos token. If there is a match, access is granted.

https://learn.microsoft.com/en-us/windows/win32/adschema/a-tokengroups

"A computed attribute that contains the list of SIDs due to a transitive group membership expansion operation on a given user or computer. Token Groups cannot be retrieved if no Global Catalog is present to retrieve the transitive reverse memberships."

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
6

Let's start from the link you provided (emphasis mine) :

The system compares the trustee in each ACE to the trustees identified in the thread's access token. An access token contains security identifiers (SIDs) that identify the user and the group accounts to which the user belongs.

In fact, "the group accounts to which the user belongs" is taken from the Kerberos Ticket the user received when he logged in. The ticket contains the SIDs of all of the groups that the user belongs to, regardless of whether the group is nested within another group or not.

Specifically, to answer your question:

How and which process in windows finds the `vip -> AD-VIPs -> AD-Parent’ chain and grants access?

This task is performed by the Domain Controller when generating a Ticket-granting Ticket (TGT) (typically, when the user logged in). The TGT contains the SIDs of all of the groups that the user belongs to.

You can do an experiment and see a bit of that with Process Explorer: Start Process Explorer, double click on a process started by a domain user (for example notepad.exe), click on the Security tab and here you'll be able to see the group membership even if the groups are nested.

Security tab in Process Explorer

Swisstone
  • 6,725
  • 7
  • 22
  • 32
  • 1
    All these years and I'd never thought of it like that. :) So you can also think of it as the UI letting you nest groups for ease of use, but as far as the system is concerned, it sees VIP as being a member of both AD-VIPs and AD-Parent. And since that's handled at login, that's also changes to group memberships like adding a user to a group, aren't picked up until the user next logs in since the system is checking that ticket, not the current state of the user's memberships. – Keith Langmead Apr 26 '23 at 05:42
  • The process explorer tip is a gem! Thanks for posting – Grasshopper Apr 26 '23 at 07:25