ESC5 Scan Ignoring Deny Permissions

[MNTech68]

Describe the Bug

When scanning, it appears the scans are only reading applied permissions to the server. They do not take into account the effective permissions (such as DENY being added at the computer level in AD).

Steps To Reproduce

Add permissions to a ADCS server that would be flagged by ESC5 scan such as "WriteProperty" . Scan and find that this will be reported in Locksmith (as it should be). Then go into AD and explicitly DENY the "WriteProperty" for the same user account. Deny always takes precedence. Scan again, and find that even though the effective access for this use is now deny, it is still reported that this account presents a risk.

Expected Behavior

Effective permissions should be taken into account.

Environment

Version Name Repository Description

---

2026.1.... Locksmith PSGallery
Server 2022
Local PowerShell
Major Minor Build Revision

---

5 1 20348 4294

[jakehildreth]

Not sure how I missed this, but yeah, Effective Perms are a big ask. That's been moved into Locksmith 2: jakehildreth/Locksmith2#2

[MNTech68]

Got it. This could probably be merged into v2 or changed to enhancement if it's a known limitation. Do you have a tracking doc for known limitations you want me to update? I didn't see anything when I looked through.