I have released an update to AdFind. The new version is V01.35.00. The following changes are included:
- Fixed bug in -onlydacl
- Fixed bug in -sddl for ACL flag output
- Added shortcut DomainNCs
- Changed output of ACL Flag output for -sddl++
- Added -onlydaclflag, -onlysaclflag, -onlyaclflags
I think folks will like the -onlydaclflag switch once they realize how useful it can be. I put that in there specifically so people can find protected ACLs… I.E. ACLs that do not inherit from their parent. I also optimized that code path so that it should move very quickly. Why you ask? Because trying to find where ACLs aren’t being inherited can be a bit of a pain because you can’t query for it. This means it has to be enumerated and that can be pretty slow, ESPECIALLY if done with an ADSI script or if you try to wrap DSACLS with a script. Seriously, this thing moves… I scanned some 31,000 objects and found 37 objects with protected ACLs in under a minute.
I will be writing up another blog post on searching for protected ACLs.
joe