joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

HowTo: Find what objects have inheritance turned off…

by @ 4:23 pm on 1/6/2007. Filed under tech

This question comes up so often I decided to write a little something something on it so I can point people at it instead of rewriting the answer.

So let’s say the questions comes in like

Question:

How do I query AD for all users (or objects or whatever) that don’t have “Allow inheritable permissions to propagate to this object…” or words to that effect?

Answer:

You don’t.

🙂

 

Ok so likely not the answer you were looking for nor expecting? The full answer is this…

You can’t because that information is stored in the Security Descriptor which is a big hunk of binary digits called a BLOB or binary blob that you can’t realistically query for anything useful. WHAT?!? That’s an outrage! This MUST be a bug! No, not at all.

This BLOB or chunk of info looks something like

0100149ce0020000fc020000140000008c0000000400780002000000075a38002000000003000000be3b
0ef3f09fd111b6030000f80367c1a57a96bfe60dd011a28500aa003049e2010100000000000100000000
075a38002000000003000000bf3b0ef3f09fd111b6030000f80367c1a57a96bfe60dd011a28500aa0030
49e201010000000000010000000004005402100000000502380010000000030000006d9ec6b7c72cd211
854e00a0c983f6089c7a96bfe60dd011a28500aa003049e2010100000000000509000000050a38001000
0000030000006d9ec6b7c72cd211854e00a0c983f608867a96bfe60dd011a28500aa003049e201010000
0000000509000000050a380010000000030000006d9ec6b7c72cd211854e00a0c983f608ba7a96bfe60d
d011a28500aa003049e201010000000000050900000005002c0010000000010000001db1a946ae605a40
b7e8ff8a58d456d20102000000000005200000003002000005022c0094000200020000009c7a96bfe60d
d011a28500aa003049e20102000000000005200000002a020000050a2c00940002000200000014cc2848
3714bc459b07ad6f015e5f280102000000000005200000002a020000050a2c009400020002000000ba7a
96bfe60dd011a28500aa003049e20102000000000005200000002a020000050028000001000001000000
551a72ab2f1ed011981900aa0040529b01010000000000050b00000000002400ff010f00010500000000
000515000000aa867905c1c5484bba6236d50002000000022400ff010f00010500000000000515000000
aa867905c1c5484bba6236d50702000000001800ff010f00010200000000000520000000240200000002
1800040000000102000000000005200000002a02000000021800bd010f00010200000000000520000000
20020000000014009400020001010000000000050a000000000014009400020001010000000000050b00
000000001400ff010f00010100000000000512000000010500000000000515000000aa867905c1c5484b
ba6236d500020000010500000000000515000000aa867905c1c5484bba6236d50102000030

Now mind you, this is a really small security descriptor, this is a the Security Descriptor on an object that isn’t inheriting anything in a domain with almost all default ACLing. You get a Security Descriptor on a normal production domain with Exchange and LCS and other apps that do crappy things to your ACLs and it will be HUGE compared to this.

So, now that you know what the feared blob looks like and you know that you should be able to easily query it for say whether or not the DACL is protected from inheritance… how about you actually point at that actual part in the above blob that tells someone that the DACL is protected… If you can do that, is it something that could be uniquely found within that string of numbers??? For instance, if you said return all objects with a 2 in the security descriptor, that is almost certainly going to return every single object… Oh… Not quite so easy, eh[1]? 

So that leaves what… exactly?

It leaves you at the point that you have to enumerate the security descriptors and filter out the info that you want. This means returning a lot of data from your DC and filtering through it which isn’t as fast nor as efficient as a query. Oi![2]

So how do we do this…

Why you use AdFind of course!

AdFind will output the SDDL format of Security Descriptors for you. You just use the handy dandy -sddl family of switches and use grep or find or findstr or what not to filter out the lines you care about.

You could do this for some time with AdFind but the most recent set of changes I made fixed a couple of bugs from the last version that could get make it a little more difficult to accomplish plus I added some switches to make it even easier that it would have been before.

So let’s say I had version V01.33.00, I could get a list of the objects that had inheritance off with a command like:

adfind -default -f * ntsecuritydescriptor -sddl -sdna -csv |grep -c “] P”

That would dump the Owner, Group, and DACL of the security descriptor for all objects and then use GREP to filter out any lines that basically had this string in the output – [DACL] PAI.

The output would look something like

G:\Dev\CPP\AdFind>v01.33.00\adfind -default -f * ntsecuritydescriptor -sddl -sdna -csv |grep “] P”

File STDIN:
“CN=VolumeTable,CN=FileLinks,CN=System,DC=test,DC=loc”,”[OWNER] DA;[GROUP] DA;[DACL] PAI(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;CCLCSWRPWPLOCRSDR
CWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA)”

“CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[OWNER] DA;[GROUP] DA;[DACL] PAI(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)”

“CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[OWNER] DA;[GROUP] DA;[DACL] PAI(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)”

“CN=AdminSDHolder,CN=System,DC=test,DC=loc”,”[OWNER] DA;[GROUP] DA;[DACL] PAI(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;EA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)”

<SNIP>

Unfortunately I commented out a line in V01.34.00 which would make this not work so you had to do something more like

adfind -default -f * ntsecuritydescriptor -sddl -rawsddl -sdna -csv |grep “D:P”

which resulted in output that looked like

G:\Dev\CPP\AdFind>v01.34.00\adfind -default -f * ntsecuritydescriptor -sddl -rawsddl -sdna -csv |grep “D:P”

File STDIN:
“CN=VolumeTable,CN=FileLinks,CN=System,DC=test,DC=loc”,”[SDDL] O:DAG:DAD:PAI(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA);[OWNER] DA;[GROUP] DA;[DACL] (A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA)”

“CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[SDDL] O:DAG:DAD:PAI(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED);[OWNER] DA;[GROUP] DA;[DACL] (A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)”

“CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[SDDL] O:DAG:DAD:PAI(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED);[OWNER] DA;[GROUP] DA;[DACL] (A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)”

“CN=AdminSDHolder,CN=System,DC=test,DC=loc”,”[SDDL] O:DAG:DAD:PAI(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;EA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561);[OWNER] DA;[GROUP] DA;[DACL] (A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;EA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP
;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)”

That certainly isn’t winning any awards for simplicity, readability, and elegance.

So I added some new switches specifically for looking for this kind of stuff… Those switches being the -onlydaclflag, -onlysaclflag, and onlyaclflags. Now you can enter a command like

adfind -default -f * ntsecuritydescriptor -sddl -onlydaclflag -csv |grep “] P”

and get output that looks like

G:\new1\Dev\CPP\AdFind>v01.35.00\adfind -default -f * ntsecuritydescriptor -sddl -onlydaclflag -csv |grep “] P”

File STDIN:
“CN=VolumeTable,CN=FileLinks,CN=System,DC=test,DC=loc”,”[DACL] PAI”
“CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[DACL] PAI”
“CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[DACL] PAI”
“CN=AdminSDHolder,CN=System,DC=test,DC=loc”,”[DACL] PAI”

Hmmmm much better and now you can actually read what is going on there right?

You can also do something like

adfind -default -f * ntsecuritydescriptor -sddl++ -onlydaclflag -csv |grep “FLAGS:PROTECTED”

which results in output like

G:\Dev\CPP\AdFind>v01.35.00\adfind -default -f * ntsecuritydescriptor -sddl++ -onlydaclflag -csv |grep “FLAGS:PROTECTED”


File STDIN:
“CN=VolumeTable,CN=FileLinks,CN=System,DC=test,DC=loc”,”[DACL] (FLAGS:PROTECTED INHERIT)”
“CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[DACL] (FLAGS:PROTECTED INHERIT)”
“CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=test,DC=loc”,”[DACL] (FLAGS:PROTECTED INHERIT)”
“CN=AdminSDHolder,CN=System,DC=test,DC=loc”,”[DACL] (FLAGS:PROTECTED INHERIT)”

Which some people may like better.

The difference between those two commands is the changing of -sddl to -sddl++ which forces AdFind to do some more string decoding for you. Note that it will require more overhead and go a little slower but may look nicer for you.

The other item that is different from the command previous is the addition of the -onlydaclflag switch which tells AdFind to only request the DACL and skip the Owner, Group, and SACL info of the Security Descriptor, this results in less work for the DC and less data over the wire. Unfortunately you still have to bring the whole DACL over but only the flags for that ACL are displayed.

You can do this against a Global Catalog if you would like as well to find ALL objects in the forest that have inheritance blocked… I just ran the following command

adfind -h 2k3dc02 -gc -null -f * ntsecuritydescriptor -sddl -onlydaclflag -csv |grep “] P”

against a low end test DC with 256MB of RAM holding about 39000 objects and found the 84 objects with blocked inheritance in 41 seconds. Running the same thing but using the -sddl++ and the longer match string took 45 seconds which makes sense as there is more work per object to be done. Either way, how long would it take you to find those matches before? Maybe before you couldn’t without having someone supply you with a script or some expensive third party tool.

Hope folks find this entry and the modifications to AdFind useful. Certainly it felt good on my end to do purely technical work to write this up and modify AdFind especially involving Active Directory versus all of the stuff I have been having to work on lately.

 

   joe

 

[1] I was receiving complaints from north of the border that I didn’t have enough Canadian content in my posts so there you go…

[2] Hello to my Australian/British friends.

Rating 3.50 out of 5

2 Responses to “HowTo: Find what objects have inheritance turned off…”

  1. Ben Watson says:
    1/9/2007 at 2:20 pm

    Where did you get your Windows version of grep?

  2. joe says:
    1/15/2007 at 9:06 pm

    From borland actually…

    http://info.borland.com/devsupport/borlandcpp/GREP5P1.ZIP

«
»

[joeware – never stop exploring… :) is proudly powered by WordPress.]