1. What is the DACL on an Active Directory object?
A log of all access attempts against the object The list of permission entries that determines which principals can perform which operations on the object The group membership list of the object The encryption key that protects the object from unauthorized modification
2. Why is WriteDACL on an AD object effectively as dangerous as GenericAll?
Because WriteDACL automatically grants Domain Admin membership Because WriteDACL allows a principal to modify the object's access control list, effectively granting the ability to give themselves any permission on that object Because WriteDACL and GenericAll are identical permissions with different names Because WriteDACL bypasses all authentication requirements
3. How does ACL inheritance create unintended privilege escalation paths?
Inherited permissions allow child objects to modify parent objects Permissions set on a parent container flow down to all child objects, so a delegation on an OU applies to every object inside it — including objects moved there later Inherited permissions override explicit permissions set directly on objects Inheritance only applies to Group Policy Objects, not to ACL permissions
4. A compromised account has WriteDACL on the Domain Admins group. Why is this a critical finding even though the account is not a member of Domain Admins?
Because the account can read the passwords of Domain Admin members Because the account can modify the group's DACL to grant itself permission to add members, then add itself or another controlled account to Domain Admins Because WriteDACL automatically elevates the account to Domain Admin status Because it means the Domain Admins group has been compromised and all members should change their passwords
5. What distinguishes ACL-based attack paths from group-membership-based paths?
ACL-based paths are always more dangerous than group membership paths Group membership paths use 'who belongs to what group' relationships, while ACL-based paths use 'who has permissions on what object' relationships — both can lead to privilege escalation ACL-based paths can only be discovered manually, while group membership paths are found by BloodHound ACL-based paths only affect service accounts, not user accounts
6. An interviewer asks: 'Why do ACL misconfigurations exist in well-managed AD environments?' Which answer best explains the root cause?
Because AD has poor default security settings that expose all objects Because delegated administration requires granting permissions on objects for legitimate operational reasons, and the cumulative effect of those delegations creates paths that administrators rarely audit as a whole Because most organizations do not use Group Policy to manage permissions Because only third-party tools can audit ACL permissions in AD