My Verdict– The Most Capable Active Directory Security Analysis Tool Out There
Over the years, I've tried many Active Directory tools to solve various problems, including many Microsoft utilities and many 3rd party tools. in my experience, a good tool is one that can help me solve my difficult problems and is easy to use, reliable and trustworthy. In that regard, of the many tools I've tried, Gold Finger 5.0 is certainly the most capable tool I've tried.
Here’s Why –
Q. What is one of the biggest challenges we all face when managing Active Directory?
At any given point in time, trying to find out who has what access, effective-access and delegated-access in our Active Directory deployments, given it's ocean of permissions.Here's the difference between access, effective-access and delegated access –
- Access – Who has what permissions, where, which ones & how.
- Effective-Access - Who has what effective-permissions on an AD object .
- Delegated-Access - Who is delegated which admin tasks where in an AD tree.
Without answers to these 3 basic questions, it is very difficult to secure Active Directory.
It turns our that these 3 problems are very difficult to solve, because of 3 main reasons –
- The problem size is large, anywhere from 100 to 100K objects in an AD
- Permissions can be changed by many administrators, anytime
AD's security model is complicated, making analysis very difficult.
It is no wonder that while there are many AD tools available today that can help with basic reporting, there are no tools available that can actually provide the insight we all need into the oceans of permissions in our Active Directory, to find out who has what access, what effective-access and what delegated-access.
This Tool Can
In my opinion, Gold Finger 5.0 unique capabilities seem to set a new bar for Active Directory security tools -
- Customized Active Directory Security Reports
- Complete Nested Group Membership Reports
- A Unique, Powerful Detailed ACL Viewer
- A Bulk (Tree-wide) Active Directory ACL Exporter
- A Powerful Active Directory Permissions Analyzer
- An Accurate Effective Permissions Analyzer
- A Per-Object Effective Delegated Access Analyzer
Effective Delegated Access Analyzer
Although the first two capabilities are available in many tools, capabilities 3 – 8 build on each other, and the information this tool lets you gather and analyze is very valuable.
You can analyze the ACL of any AD object, export it, find out who has what effective permissions on it, and who is delegated what tasks on it, automatically.
You can also export the ACLs of all AD objects in any tree (e.g. OU, container or domain), find out who has what permissions, where in the tree, and how, and also find out exactly who is delegated what tasks in the tree, where and how, automatically.
To be able to do all this takes a lot of effort and time. To make it so easy, is extremely difficult, and in my opinion, this may very well be why its endorsed by Microsoft.
There are also some nice-to-have features like the ability to bind to a specific domain controller, the ability to customize any security report with an LDAP filter, the ability to create your own LDAP custom filter library, the ability to use alternate credentials to bind to AD, and the ability to generate custom PDF reports (i.e. with a custom title, heading, fields and a logo.)
Gold Finger 5.0 Demo
There are way too many capabilities and features in the tool for me to review, so I’m just going to share a demo that I found on YouTube with you, and a few helpful links I found.
Snapshots and Demos -
Personally, as a techie, I've always found snapshots and demos to be quite telling, so I looked around and found a few and demos -
It seems to me that a lot of thought went into making this tool valuable for AD admins. From its capabilities to the available options, they seem to have gotten the tool right this time around. Its sort of like the like the iPhone of AD tools - innovative, valuable, yet so simple to use, you'd wonder why no one thought of making it until now.
All in all, quite impressed.
DISCLAIMER: This is just my opinion. I suggest forming your own opinion based on your own experience. I believe they still give out free 21-days trials. (I got mine in a few minutes.)
+ Pros: Its really useful capabilities, Effective Permissions analyzer, being #1 on my list
- Cons: Some features from 4.0, like Scope Exclusion, seem to have been removed
Summary: In summary, Gold Finger 5.0 is a highly capable Active Directory Audit Tool , and it features numerous unique capabilities such as fully-automated Active Directory delegated access / delegation reports, and is the only accurate Active Directory Effective Permissions Tool I have found thus far.