ExplainTheHack
← Back to Access Control Lists

Access Control Lists Brief

What It Is

Every AD object has a security descriptor containing a DACL (who can do what) and a SACL (what gets audited). The DACL is a list of Access Control Entries (ACEs), each granting or denying a specific permission to a specific principal. This permission model is how delegated administration works — and how ACL-based attack paths are created.

Key Permission Types

  • GenericAll — full control over the object; can modify anything including the DACL itself
  • WriteDACL — can rewrite the object's permission list; effectively one step from full control
  • WriteOwner — can take ownership; owner can always modify the DACL; indirect path to full control
  • ForceChangePassword — can reset a user's password without knowing the current one
  • GenericWrite — can modify attributes; enables targeted Kerberoasting (setting SPNs)

Why ACL Paths Exist

Organizations delegate control for legitimate reasons — helpdesk teams reset passwords, app teams manage service accounts. Each delegation creates an ACE. The cumulative, transitive effect of many delegations creates escalation paths that no administrator designed as a whole. Inheritance amplifies this: permissions on an OU flow to every object inside it.

Interview Phrasing

ACLs define who can perform which operations on every AD object. The permissions that matter most are GenericAll, WriteDACL, WriteOwner, and ForceChangePassword — each grants a form of control. These exist because of delegated administration, and the accumulated effect of many delegations creates paths that BloodHound reveals. Understanding the permission model is what makes BloodHound output meaningful.

Common Pitfalls

  • Thinking ACLs only apply to files — in AD, every object (users, groups, OUs, GPOs) has an ACL
  • Treating GenericAll as the only dangerous permission — WriteDACL, WriteOwner, and ForceChangePassword are each independently exploitable
  • Confusing DACL permissions with group membership — a user with WriteDACL on Domain Admins is as dangerous as being in Domain Admins
  • Not understanding inheritance — permissions on a parent OU flow to all children, including objects moved there later