79785049

Date: 2025-10-08 02:45:30
Score: 3.5
Natty:
Report link

This thread is 4 1/2 years old, but fuck it, I didn't see anyone else mention it so I will.

In this example the group in question has WriteOwner and WriteDACL rights. This means they can seize ownership of the AD object in question, and once they do the DACL does not matter anymore.

Additionally the group in question is the Administrators group, which means they can seize ownership of any AD object regardless of the DACL on it, much as local admin can seize ownership of any NTFS object. Once they seize ownership they can do whatever they want to.

Hence their "effective permissions" are GenericAll.

/end thread

Reasons:
  • Blacklisted phrase (2): fuck
  • Long answer (-0.5):
  • No code block (0.5):
  • Unregistered user (0.5):
  • Low reputation (1):
Posted by: Rich