What is a one sentence summary of your feature request?
Check if “AreAccessRulesCanonical” and “AreAuditRulesCanonical” for relavant objects are true
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Canonical order for permissions is important for deny or allow permissions to work as expected. If the order is incorrect, then allow permissions may unexpectedly win against deny permissions. This can lead to a security issue.
ALCs are often believed to be always like “deny always wins” wich is not true even with canonical order.
An example why that happenes:
Someone has made an example with a file :
The order should be checked for AD Objects, and for files in Netlogon/Sysvol shares, and if configured external GPO files (AD GPO Objects doesn’t always have to be linked to SYSVOL)
Privileged accounts > ACL Check > P-CanonicalOrderADObject / P-CanonicalOrderFiles
How do you currently solve the challenges you have by not having this feature?
Using different Software or PowerShell scripts basically something like that:
Get-Acl -Path “AD:CN=ANYOBJECT,DC=examlple,DC=com” | Select-Object -Property AreAccessRulesCanonical,AreAuditRulesCanonical