vletoux
Control Paths Analysis disregards blocked inheritance for permissions
Similar to #81, PingCastle does not seem to check if an OU blocks inheritance or not in regards to permissions.
When a group or user has permissions that were inherited by a superior OU, but the sub OU has inheritance blocked, these permissions are still displayed.
Example Setup/Steps to Reproduce:
Create the following:
Group1
Main OU
-> Sub OU
-> User1
Assign permissions:
Main OU <- Group1 : FullControl, Descendant User Objects
-> Sub OU
-> User1
With this setup, "Group1", which is assigned permissions on the level of "Main OU", has "FullControl" over "User1". This is expected and PingCastle reports correctly. Now block inheritance on "Sub OU":
Main OU <- Group1 : FullControl, Descendant User Objects
X Sub OU <- Inheritance Disabled
-> User1
Now with inheritance disabled, members of "Group1" no longer have "FullControl" over the "User1" object. This can be confirmed with the usual tools such as ADUC or PowerShell. However, PingCastle still reports this edge in the Control Path Analysis.
Thanks for the report and clear information. I have put this in the backlog to sort. I dont think changes to the control paths will make it into 3.4 but there will likely be a fix or rework or control paths in version 3.5 as there are a few similar issues (Desendent object type etc)
