D.3 Security Scans — Active Directory File Systems

Table D-4 Permission Scan Capabilities for Active Directory Environments

Windows Component

Supported

Notes

Share Permissions

 

Security Descriptors

Includes the ACLs and ACEs, owner, and all ACE and security descriptor flags. However, only security descriptors for folders are currently collected. Additionally, deny ACEs are not factored into calculations for Permission by Identity or Permission by Path reports.

Universal Security Groups

 

Global Security Groups

 

Local Security Groups

The local security groups themselves are collected, but group memberships for local security groups are not currently processed.

Nested Group Memberships

Nested group membership is collected as a flat list of all intermediate and leaf groups, users, and other security principals. The hierarchy of group nesting is not currently preserved.

Primary Groups

 

Local Security Authority (LSA) Privileges

LSA privileges are not currently collected.