I posted yesterday about AdFind being on the bench and I received a couple of emails. One of the emails came from a friend who now works for MSFT. The core of the note was
In ADFind, could you also have a switch to tell you the size of the ntSecurityDescriptors attribute? I’ve noticed quite a few applications (such as exchange 2k and 2k3) have issues reading this blob when it gets over/around 32k on an object. Let me know what you think.
What do I think? I think that is an awesome idea Brandon! I love it. Just the kind of off the wall out of the box thinking that I think is a great trait… It is a simple thing that is tough to do normally that has real life practical use in some important cases. It isn’t something that you will use everyday or in fact most users may never ever use it. But if you need it, it is cool that it is “in there”. There is another tool out there that will tell you SD lengths on AD Objects; I recall seeing it on a couple of occasions but I can NEVER recall the name. Anyway, I read that email on my lunch break and let it sit and spin in the back of my head all afternoon and evening and when I sat down at around midnight to look at the AdFind source code I pulled up those thoughts from the trenches and had it solved so just punched in the source code to do it… After a little bit of futzing around with formatting for a bit and some testing it appears to be working great. Since I already add prefix strings in describing sections of the SD when using -sddl++, etc I decided to add a new prefix string called [SIZE] which will appear in the output when the SD size is requested.
Here are a couple of examples of output…
CSV Output of object security descriptor and mailbox security descriptor, if present, specified in KB (1024 Bytes).
F:\Dev\CPP\AdFind>adfind -default ntsecuritydescriptor msexchmailboxsecuritydescriptor -sdsize kb -csv -maxe 20
“dn”,”ntsecuritydescriptor”,”msexchmailboxsecuritydescriptor”
“DC=joe,DC=com”,”[SIZE] 1.70KB”,””
“CN=Users,DC=joe,DC=com”,”[SIZE] 1.24KB”,””
“CN=$jricha34,CN=Users,DC=joe,DC=com”,”[SIZE] 0.79KB”,”[SIZE] 0.49KB”
“OU=Exchange,DC=joe,DC=com”,”[SIZE] 1.30KB”,””
“OU=joeware2,OU=Exchange,DC=joe,DC=com”,”[SIZE] 1.36KB”,””
“OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com”,”[SIZE] 1.36KB”,””
“CN=postmaster,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com”,”[SIZE] 1.95KB”,”[SIZE] 0.53KB”
“OU=Domain Controllers,DC=joe,DC=com”,”[SIZE] 1.12KB”,””
“CN=Computers,DC=joe,DC=com”,”[SIZE] 1.41KB”,””
“CN=2K3DC02,OU=Domain Controllers,DC=joe,DC=com”,”[SIZE] 1.88KB”,””
“CN=System,DC=joe,DC=com”,”[SIZE] 1.14KB”,””
“CN=RID Manager$,CN=System,DC=joe,DC=com”,”[SIZE] 1.16KB”,””
“CN=LostAndFound,DC=joe,DC=com”,”[SIZE] 1.07KB”,””
“CN=Infrastructure,DC=joe,DC=com”,”[SIZE] 1.09KB”,””
“CN=ForeignSecurityPrincipals,DC=joe,DC=com”,”[SIZE] 1.07KB”,””
“CN=Program Data,DC=joe,DC=com”,”[SIZE] 1.07KB”,””
“CN=Microsoft,CN=Program Data,DC=joe,DC=com”,”[SIZE] 1.07KB”,””
“CN=NTDS Quotas,DC=joe,DC=com”,”[SIZE] 1.11KB”,””
“CN=WinsockServices,CN=System,DC=joe,DC=com”,”[SIZE] 1.14KB”,””
“CN=RpcServices,CN=System,DC=joe,DC=com”,”[SIZE] 1.14KB”,””
Standard output without decoding any of the SDDL in Bytes.
F:\Dev\CPP\AdFind>adfind -default ntsecuritydescriptor msexchmailboxsecuritydescriptor -sdsize -maxe 5
AdFind V01.36.00cpp Joe Richards (joe@joeware.net) February 2007
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=comdn:DC=joe,DC=com
>nTSecurityDescriptor: [SIZE] 1736Bdn:CN=Users,DC=joe,DC=com
>nTSecurityDescriptor: [SIZE] 1268Bdn:CN=$jricha34,CN=Users,DC=joe,DC=com
>nTSecurityDescriptor: [SIZE] 812B
>msExchMailboxSecurityDescriptor: [SIZE] 504Bdn:OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [SIZE] 1332Bdn:OU=joeware2,OU=Exchange,DC=joe,DC=com
>nTSecurityDescriptor: [SIZE] 1388B5 Objects returned
And finally, standard output and decoding in -sddl++ mode and again in KB
F:\Dev\CPP\AdFind>adfind -default ntsecuritydescriptor msexchmailboxsecuritydescriptor -sdsize kb -maxe 2 -sddl++
AdFind V01.36.00cpp Joe Richards (joe@joeware.net) February 2007
Using server: 2k3dc02.joe.com:389
Directory: Windows Server 2003
Base DN: DC=joe,DC=comdn:DC=joe,DC=com
>nTSecurityDescriptor: [SIZE] 1.70KB
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;DD
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];groupType;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];displayName;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];Public Information;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT];[WRT PROP];Personal Information;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ][WRT PERMS];;group;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Create Inbound Forest Trust;;S-1-5-32-557
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;ED
>nTSecurityDescriptor: [DACL] ALLOW;;[READ];;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][READ];;;S-1-5-21-3593593216-2729731540-1825052264-13170
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;DA
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;EA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP][READ];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP];;;WD
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;ED
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;SY
>nTSecurityDescriptor: [SACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPOptions;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;DU
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;BA
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[WRT PROP][WRT PERMS][WRT OWNER];;;WDdn:CN=Users,DC=joe,DC=com
>nTSecurityDescriptor: [SIZE] 1.24KB
>nTSecurityDescriptor: [OWNER] DA
>nTSecurityDescriptor: [GROUP] DA
>nTSecurityDescriptor: [DACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;AO
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;AO
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;PO
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;AO
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;DA
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;SY
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[WRT PROP];groupType;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[WRT PROP];displayName;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[WRT PROP];Public Information;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERITED];[WRT PROP];Personal Information;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[READ PROP];tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ][WRT PERMS];;group;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY][INHERITED];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERITED];[LIST CHILDREN];;;S-1-5-21-1862701446-4008382571-2198042679-1674
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERITED];[FC];;;EA
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERITED];[LIST CHILDREN];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT][INHERITED];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BA
>nTSecurityDescriptor: [SACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][INHERIT ONLY][INHERITED][SUCCESS];[WRT PROP];gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][INHERIT ONLY][INHERITED][SUCCESS];[WRT PROP];gPOptions;organizationalUnit;WD2 Objects returned