Permission Analysis with Solarwinds Access Rights Manager (ARM)

It might be a well-kept secret outside of IT departments, but insiders know the reality; permission structures are often suboptimal. The reason for this is permission structures have grown historically, some say even hysterically, over time.

One cause is quick fixes applied with the intent to replace with a proper solution later, but in many cases, these fixes are still in place today.

Usually the more complex a system is, the more complicated it is to keep it up and running properly. In our case, we are speaking about permission structures that handle access to your organization’s data and can hold everything, from customer data to financial data to patent applications. So it should be in good shape.

However, tools provided by the operating system often reach their limit before you even start. Scripts can be quite handy for some investigations, but they are rather difficult to maintain, and their visualization capabilities are limited.

Let‘s see how we can use SolarWindsRegistered Access Rights Management to help remediate the permissions relics of past decades.


Getting Started

Note: Please ensure your ARM installation is properly configured and the first Active Directory and file server scans are executed successfully. You can find more information in the Getting Started Guide.

If you are looking for basic permission analysis reporting, please check identify the permissions of a user or identify access rights on a resource for more details.

Ok, now let’s see how ARM can help answer some more complicated questions.

Identify recursive groups

Groups can be members of other groups. Active Directory allows "children" to become "parents" within their own family tree. If the nested group structure loops in a circular way, group membership assignments become ineffective and nonsensical. Through these recursions or circular nested groups, every user who is a member of any of the recursive groups is granted all access rights to all of the groups. The consequence is a confusing mess of excessive access rights. ARM automatically identifies all recursions in your system. We highly recommend removing the recursion by breaking the chain of circular group memberships.


  1. Select the dashboard.
  2. Double-click on "groups in recursions".


  1. ARM automatically switches to "Multiselection".
  2. The scenario "groups in recursions" is active. ARM lists all groups included in the recursion.
  3. Click on a group.
  4. ARM lists all users and groups in the selected recursion.
  5. Double-click on a group.


  1. ARM switches to the account view. You can see an example of a recursion.
  2. The recursion is indicated by the orange line.

To remediate, you can simply edit the group membership of any group that’s part of the recursion by following the steps outlined here.

Visualize nested group structures

The central component of every Active Directory (AD) is the group concept. Administrators use groups to assign access rights and resources to individual users or user groups. This results in nesting: For example, the group "Marketing" gives access rights to the corresponding file server directories of the department. At the same time, however, the group is also a member (i.e., nested) of the group "Access Wlan 4th floor". The ARM AD graph shows the nesting structure in your Active Directory and helps you to recognize grown structures and adjust structural errors.


Switch to Accounts to see the AD graph view.



  1. Find the AD group by entering its name into the search field. For example: "Marketing". Select the desired result from the Groups section of the drop-down menu.
  2. If you can't find your resource, click on "See more results".


  1. The "Marketing" group is the focus of the following analysis.
  2. Above the group, you see other groups in the AD graph that the "Marketing Group” is a member in, the so-called "parents". All "parent" groups, both direct and indirect, are listed on the left-hand side. Indirect "parents" are indicated by a blue arrow.
  3. On the right-hand side, you can see the name of the group listed at the top. Underneath it, you can see a list of all "children," both direct and indirect, of the group.
  4. You can open and close the individual branches on the AD graph by clicking on the icon. The number listed indicates the number of direct "parents" or "children".

To change the group structure, you can simply edit the group membership of any group by following the steps outlined here.

Identify potential overprivileged users based on Kerberos token size

The size of a Kerberos token is a good indicator for identifying users with excessive access rights. The more group memberships a user has, the bigger their Kerberos token. Even if a group membership does not automatically grant privileges, it is worthwhile to analyze the listed users.

In addition, there is a risk that users with too many group memberships will no longer be able to log in.


  1. Select "Dashboard".
  2. Double-click on the user in the list "Top 5 Kerberos Tokens".


  1. ARM automatically focuses on the selected user in the AD graph view.
  2. All "parents", meaning groups in which the selected user is a direct or indirect member of, are shown on the left-hand side. We recommend using this flat list for users with an extremely large number of group memberships.

Simply edit the group membership of the user by following the steps outlined here.

Identify deviating access rights in the tree structure

Inheriting permissions is a good way to keep the access rights structure clear and manageable. ARM shows deviating access rights, regardless of whether they were added or removed. If the chain of inheritance is broken, ARM will show this in the tree structure. You can make corrections or leave them as they are if the directory has special protection requirements.


  1. Select "Resources".
  2. The green arrow indicates that some of the subdirectories contain divergent access rights.


  1. The green circle with the exclamation mark indicates that the access rights of this directory differ from its “parent”.
  2. The directories with divergent access rights are listed in a window below with a drill-down option.


  1. Select a subdirectory.
  2. ARM shows which directory is compared with which.
  3. ARM displays all access rights equal to the “parent” directory.
  4. ARM shows all deviating access rights. A "Plus" signifies added access rights while a "Minus" signifies removed access rights.



I hope this overview gives you a good starting point to understand how ARM can help you clean up your permissions structure and improve the security of your organization’s data.

Need more details on the topic? Please refer to the Permissions Analysis section of the ARM Administrator Guide.

If you’re not already using SolarWinds Access Rights Manager, check out the free download. 

It’s free. It’s easy. Give it a try!