joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

How To: Report explicit ACEs on Active Directory objects with AdFind

by @ 1:55 am on 9/28/2006. Filed under tech

A fellow MVP, Brian Desmond, suggested in a previous blog comment that I should “add a switch to filter inherited permissions”. I thought, hey, great idea… I can do better. 🙂

In AdFind V01.32.00 you will find the new switches -sddlfilter and -sddlNOTfilter. These switches allow you to specify a value for each of the 6 pieces of an ACE so you could match on very specific ACEs or on one or more of the fields of an ACE. And with the NOT version you can output anything that DOESN’T match. Cool huh? I didn’t give the ability to specify multiple filters like I normally do for this type of thing because that would very quickly get very intensive and there is so much filtering going on already at times my laptop fan is spinning fast enough to move the laptop three inches to the right.

I added a couple of other switches that seemed to make sense as well, specifically -noowner, -nogroup, -nodacl, -nosacl. These allow you to say don’t return those pieces of info for nTSecurityDescriptor and for other Security Descriptors it tells AdFind to not output that info. Finally, I added a switch called -recmute… This is seemingly an odd one until you realize fully what it is for. Normally if there is no attribute output for a given object, the DN gets output on its own. If you are filtering ACLs looking only for ACLs with a specific ACE, you may not want to output every single DN for every single object whether or not it has the given ACE… Say for instance you are looking for any explicit ACEs for a given group or something. You want the output to be as filtered as possible. So -recmute tells AdFind not to output the DN unless there are attribute values to output as well.

So all of these switch additions allow me to create the shortcut called -sc explaces which is a direct response to Brian’s, IMO, great suggestion. Sure it involved adding a bunch of other stuff and sure it could been done in a quicker easier less flexible way but I expect I and others will find other cool things we could do with this new capability.

The actual switch selection that -sc explaces inserts for you are:

Selected Switches
  -b
  -f *
  -gc
  -nogroup
  -noowner
  -nosacl
  -recmute
  -resolvesids
  -sddl++
  -sddlnotfilter ;inherited

Selected Attributes
  ntsecuritydescriptor

So here is an example of -sc explaces

F:\Dev\CPP\AdFind>adfind -sc explaces

AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006

Using server: 2k3dc02.joe.com:3268
Directory: Windows Server 2003

dn:DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;JOE\Domain Controllers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];groupType;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];displayName;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];Public Information;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];Personal Information;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;computer;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;group;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;user;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ][WRT PERMS];;group;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Create Inbound Forest Trust;;BUILTIN\Incoming Forest Trust Builders
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] ALLOW;;[READ];;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;JOE\Exchange Enterprise Servers
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;JOE\Enterprise Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP][READ];;;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;BUILTIN\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP];;;Everyone
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

dn:CN=Configuration,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;JOE\Enterprise Admins
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERIT ONLY];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;JOE\Domain Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

dn:CN=Sites,CN=Configuration,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;JOE\Enterprise Admins
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

dn:CN=MyMainSite,CN=Sites,CN=Configuration,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

dn:CN=Servers,CN=MyMainSite,CN=Sites,CN=Configuration,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD];;;BUILTIN\Administrators
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

[SNIP]

 

Now if you just want the explicit ACEs granted to say the account joe\joe because you know you delegated something to that ID directly but you don’t recall exactly what… you just add an -sddlfilter ;;;;;joe\joe to the command. If you know the specific scope/basedn you are worred about you can add those pieces as well, for instance, in this example I will tell it to focus on the default NC:

F:\Dev\CPP\AdFind>adfind -sc explaces -sddlfilter ;;;;;joe\joe -default

AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com

dn:OU=joeware2,OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[CR CHILD][DEL CHILD];user;;JOE\joe

dn:CN=MTUser8,OU=TestOU,OU=joeware2,OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;JOE\joe

dn:CN=blank,CN=Users,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;JOE\joe
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;JOE\joe

dn:CN=ADUser,CN=Users,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Reset Password;;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Unexpire Password;;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];pwdLastSet;;JOE\joe

dn:CN=LargeDLTest,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[SELF WRT];Add/Remove self as member;;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[SELF WRT];Add/Remove self as member;;JOE\joe

dn:CN=dltest0,OU=Users,OU=DLTest,OU=joeware2,OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Send As;;JOE\joe

dn:OU=UserTestOU,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[FC];00000000-0000-0000-0000-000000000000;;JOE\joe

dn:CN=TestDLG,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;JOE\joe

dn:OU=test,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[CR CHILD][DEL CHILD];computer;;JOE\joe

dn:CN=testuser-fullname,CN=Users,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];lockoutTime;;JOE\joe

dn:OU=joeou,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;JOE\joe
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;JOE\joe2

dn:CN=upntest,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];comment;;JOE\joe

dn:CN=TestComputerAcl,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];DNS Host Name Attributes;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to service principal name;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Account Restrictions;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Logon Information;computer;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];description;computer;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];displayName;computer;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];sAMAccountName;computer;JOE\joe
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][DEL TREE][LIST OBJ][CTL][DEL][READ];;;JOE\joe

dn:OU=_JoeERTest,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[WRT PROP];Account Restrictions;user;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[WRT PROP];pwdLastSet;user;JOE\joe

dn:CN=ertest,OU=_JoeERTest,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[WRT PROP];userAccountControl;user;JOE\joe
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;JOE\joe

15 Objects returned

 

Oh you may be wondering… what is that

>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];DNS Host Name Attributes;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to service principal name;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Account Restrictions;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Logon Information;computer;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];description;computer;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];displayName;computer;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];sAMAccountName;computer;JOE\joe

with the funny GUIDs all about??? It is a bug in ADUC in how it creates the perms when you set up an account with delegated join capability for someone. It is a fun bug, guaranteed to send DSACLS right off its rails… Try it out, you can crash DSACLS every single time. Both Ulf and myself have floated this bug up.

Oh that brings up a realistic problem, say you want to find all computer accounts that have delegation with dorked up ACLs like that…. I added another computer object so two would show up…

F:\Dev\CPP\AdFind>adfind -e -sc explaces -default -f objectcategory=computer -sddlfilter ;;;;00000000-0000-0000-0000-000000000000

AdFind V01.32.00cpp Joe Richards (joe@joeware.net) October 2006

Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=com

dn:CN=TestComputerAcl,OU=TestOU,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];DNS Host Name Attributes;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to service principal name;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Account Restrictions;00000000-0000-0000-0000-000000000000;JOE\joe

dn:CN=cmpacltst,CN=Computers,DC=joe,DC=com
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];DNS Host Name Attributes;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[SELF WRT];Validated write to service principal name;00000000-0000-0000-0000-000000000000;JOE\joe
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP];Account Restrictions;00000000-0000-0000-0000-000000000000;JOE\joe

2 Objects returned

Rating 3.00 out of 5

2 Responses to “How To: Report explicit ACEs on Active Directory objects with AdFind”

  1. Lakshmi Narayana says:
    11/6/2007 at 3:34 pm

    Hi Joe,

    thanks a lot for developing adfind. Which is really helping me and lot others in finding things much better.

    i have a Q. I am looking find out, explicit send-as permissions granted on Exchange mailboxes in the entite organisation. I didn’d find any way to extract this info. Would be great, if you can help me on that.

    Thanks
    Lakshmi Narayana

  2. joe says:
    11/6/2007 at 9:01 pm

    The best way would be to use adfind to dump the security descriptor on all objects and comb through them. There is no way to actually query for this, you have to enumerate all objects. On the positive side, with the filtering capabilities in adfind, you should be able to tell it to just output ACEs that are Send As ACEs. At least I am pretty sure, been a bit since I mucked around in that part of the code. 🙂

«
»

[joeware – never stop exploring… :) is proudly powered by WordPress.]