I hear this question all of the time… AdFind is cool, but can it display Security Descriptors in a friendly format… or more accurately most people say “can it display permissions in a way I can read??”
Well yes, AdFind can output security descriptors in a readable format, whether or not *you* can read it is, well, that is something for you to validate on your own. You can, if you want, let me know the results.
The fact is, I actually prefer the output of the Security Descriptors from AdFind than from say DSACLS. For a couple of reasons…
First, you aren’t accidentally screwing up and changing anything with AdFind… AdFind CANNOT change anything, it is purely read only. ON PURPOSE! No… “Oops I accidentally clicked on a button and hit OK instead of CANCEL”. It is READ ONLY. Again, what is it??? Read Only. You can give this tool to your mom and she can’t hurt anything. It is duller than a butter knife made from tofu.
Next I like that it is more tightly bound output… I can’t really explain what I mean by that but maybe you understand if you have seen the output from both tools and if not, I will show you the output somewhere below. When I look at the output from DSACLS I think chaotic and too spread out and infinitely painful to script around.
Next thing I like is that unlike DSACLS, AdFind will display *any* security descriptor attribute in AD, not just the nTSecurityDescriptor, so say you are one of the few people who have installed a product called Exchange, there is an attribute called msExchMailboxSecurityDescriptor – yes AdFind can display that as well.
Oh and something really cool… you can use any LDAP query you want to display the security descriptors of any object that matches the query. So you could use one command to dump the security descriptors of all OUs… or all Users with mailboxes… or all groups… or all objects with admincount=1, etc etc etc… Can’t do any of that with DSACLS. But then that wasn’t the goal of that tool when it was put together and there are things that I can’t do with AdFind and AdMod “yet”.
So quickly here is what DSACLS output looks like for anyone who isn’t familiar:
G:\blogfodder>dsacls dc=test,dc=loc Access list: Effective Permissions on this object are: Allow TEST\\Domain Admins SPECIAL ACCESS READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow TEST\\Enterprise Admins FULL CONTROL Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS READ PROPERTY Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS LIST CONTENTS Allow BUILTIN\\Administrators SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Allow Everyone SPECIAL ACCESS READ PROPERTY Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\\SYSTEM FULL CONTROL Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Domain Password & Lockout Policies READ PROPERTY Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Other Domain Parameters (for use by SAM) READ PROPERTY Allow NT AUTHORITY\\Authenticated Users SPECIAL ACCESS for Other Domain Parameters (for use by SAM) READ PROPERTY Allow TEST\\Domain Controllers Replicating Directory Changes All Allow TEST\\testgroup Monitor Active Directory Replication Allow BUILTIN\\Administrators Replicating Directory Changes Allow BUILTIN\\Administrators Replication Synchronization Allow BUILTIN\\Administrators Manage Replication Topology Allow BUILTIN\\Administrators Replicating Directory Changes All Allow BUILTIN\\Incoming Forest Trust Builders Create Inbound Forest Trust Allow NT AUTHORITY\\Authenticated Users Enable Per User Reversibly Encrypted Password Allow NT AUTHORITY\\Authenticated Users Unexpire Password Allow NT AUTHORITY\\Authenticated Users Update Password Not Required Bit Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS Replicating Directory Changes Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS Replication Synchronization Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS Manage Replication Topology Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\\Enterprise Admins FULL CONTROL Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS LIST CONTENTS Allow BUILTIN\\Administrators SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY LIST OBJECT CONTROL ACCESS Inherited to user Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Inherited to group Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Inherited to inetOrgPerson Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Inherited to user Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups READ PROPERTY Inherited to group Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups READ PROPERTY Inherited to computer Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups READ PROPERTY Inherited to user Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information READ PROPERTY Inherited to inetOrgPerson Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information READ PROPERTY Inherited to user Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information READ PROPERTY Inherited to inetOrgPerson Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information READ PROPERTY Inherited to user Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership READ PROPERTY Inherited to inetOrgPerson Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership READ PROPERTY Inherited to user Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information READ PROPERTY Inherited to inetOrgPerson Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information READ PROPERTY Inherited to user Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions READ PROPERTY Inherited to inetOrgPerson Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions READ PROPERTY The command completed successfully
That is a pretty standard NC Head DACL, I think there is only one added ACE for testing something.
How does AdFind display that same info? Well it depends, I like to be a little flexible and it can output in several ways depending on what you want…
But first… I want to point out a couple of switches that may be useful to you if you aren’t the admin of your domain you are going to read info from. By default when you ask for the nTSecurityDescriptor, AD wants to return the entire security descriptor. Well if you don’t have certain rights, specifically manage auditing, you can’t retrieve the System ACL aka SACL or the Auditing information. They don’t want to give you info about what is being audited if you aren’t supposed to be managing it, it might give you a clue of what to try and attack and not be caught… So to get around this, they allow you to only ask for portions of the security descriptor, I put in a special switch to tell AdFind to ask for everything *but* the SACL, that switch is called -sdna which if you want to know, stands for Security Descriptor Non-Admin. You could also use the -nosacl switch which I added later to be consistent with some other security descriptor switches I added. So if you are a not an admin or running the tool as a normal user, use -sdna or -nosacl so get information back. If you do that, you will notice that anywhere below where the SACL is displayed, you will not have the SACL, make sense? Good…
First the default output:
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: {Security Descriptor}
1 Objects returned
As you can see, not all that helpful, so I added a basic decode option called -sddl (or -sddc for Security Descriptor De-Code) that looks like:
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa0
03049e2;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP
;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-90
20-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc
14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;f98340fb-7c5b-4cdb-a
00b-2ebdfa115a96;;S-1-5-21-91850410-1263060417-3577111226-2736)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608
;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07
-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c740736
0-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU
)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f5
41;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;
AU)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTL
OCRSDRCWDWO;;;SY)
>nTSecurityDescriptor: [SACL] AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa0
03049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)
1 Objects returned
That is a slightly cleaned up raw SDDL format which you can get info on here –> http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html. Note: Normally I would point at MSDN but it seems they have screwed it up yet again and it isn’t displaying pages properly. I think the whole MSDN site is a lab environment or something, it is broken a good amount of the time.
Anyway, this output is SDDL but it is cleaned up in that the OWNER, GROUP, DACL, and SACL are all broken out into their own lines for reading. Note that it probably looks pretty bad in the web browser window, it looks much better in a text file or on the screen if you have a sufficiently wide enough command prompt window (I set mine to 210 characters usually personally but even that isn’t really big enough for most security descriptors).
So now the next output decode option is a lot cleaner for most people. It is a slight upgrade from the SDDL format before and so I called the switch -sddl+ (or -sddc+):
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl+
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] AI
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;user;RU
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;DD
>nTSecurityDescriptor: [DACL] OA;;CR;Monitor Active Directory Replication;;S-1-5-21-91850410-1263060417-3577111226-2736
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Create Inbound Forest Trust;;S-1-5-32-557
>nTSecurityDescriptor: [DACL] OA;;RP;Domain Password & Lockout Policies;;RU
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;group;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;user;RU
>nTSecurityDescriptor: [DACL] OA;;CR;Enable Per User Reversibly Encrypted Password;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Unexpire Password;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Update Password Not Required Bit;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;ED
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;AU
>nTSecurityDescriptor: [DACL] A;;CCLCSWRPWPLOCRRCWDWO;;;DA
>nTSecurityDescriptor: [DACL] A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA
>nTSecurityDescriptor: [DACL] A;;RPRC;;;RU
>nTSecurityDescriptor: [DACL] A;CI;LC;;;RU
>nTSecurityDescriptor: [DACL] A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA
>nTSecurityDescriptor: [DACL] A;;RP;;;WD
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;ED
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;AU
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY
>nTSecurityDescriptor: [SACL] AI
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPOptions;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;DU
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;BA
>nTSecurityDescriptor: [SACL] AU;SA;WPWDWO;;;WD
1 Objects returned
That is all of the ACEs broken out one to a line in the order they are in the security descriptor. It is still in SDDL character encoding. For some of you that is fine, at least you can no scan through it. For others, that is still a bit cryptic so I have -sddl++ (and as you may guess -sddc++):
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl++
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;DD
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Monitor Active Directory Replication;;S-1-5-21-91850410-1263060417-3577111226-2736
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Create Inbound Forest Trust;;S-1-5-32-557
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Domain Password & Lockout Policies;;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Enable Per User Reversibly Encrypted Password;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Unexpire Password;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Update Password Not Required Bit;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;DA
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;EA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP][READ];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP];;;WD
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;ED
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;SY
>nTSecurityDescriptor: [SACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPOptions;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;DU
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;BA
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[WRT PROP][WRT PERMS][WRT OWNER];;;WD
1 Objects returned
Which is far more verbose but still does decode the SIDs so if you want to do that, use -resolvesids switch in addition to the format you want, for brevity I will go back to -sddl+ which is the one I like the best anyway.
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl+ -resolvesids
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BUILTIN\\Administrators
>nTSecurityDescriptor: [GROUP] BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] AI
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;TEST\\Domain Controllers
>nTSecurityDescriptor: [DACL] OA;;CR;Monitor Active Directory Replication;;TEST\\testgroup
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;computer;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;group;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;user;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Create Inbound Forest Trust;;BUILTIN\Incoming Forest Trust Builders
>nTSecurityDescriptor: [DACL] OA;;RP;Domain Password & Lockout Policies;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;group;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;CR;Enable Per User Reversibly Encrypted Password;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Unexpire Password;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Update Password Not Required Bit;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] A;;CCLCSWRPWPLOCRRCWDWO;;;TEST\\Domain Admins
>nTSecurityDescriptor: [DACL] A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;TEST\\Enterprise Admins
>nTSecurityDescriptor: [DACL] A;;RPRC;;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CI;LC;;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] A;;RP;;;Everyone
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;NT AUTHORITY\\SYSTEM
>nTSecurityDescriptor: [SACL] AI
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPLink;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPOptions;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;TEST\\Domain Users
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;BUILTIN\\Administrators
>nTSecurityDescriptor: [SACL] AU;SA;WPWDWO;;;Everyone
1 Objects returned
Oh another option which may be handy… -list
I would show you what that looks like but it seems I have hit a bug in this version of LiveWriter which seems to be that I have reached the max post length when looking at the post in HTML code mode which is what I have to do to insert text with PRE tags…. What the -list switch does is rips off the header and and the attribute labels and cleans up the output even more for you. Try it. 🙂
So anyway… cool yeah?
I think that should conclude the first post on AdFind and Security Descriptors as it is already pretty long. I will write another post before too long and go into the various switches available for outputting the security descriptors in various ways with various options. In the meanwhile if you are very curious, take a peek at adfind /?? and adfind /sc?
Also does anyone have any specific question about AdFind and its ability to display security descriptors?
joe
[reposted due to system error]
Great article, thanks! Since you asked for specific questions..
How can I use adfind to display ACE’s on objects that differ from those they inherit from their parent container? Perhaps something along the lines of -sc aclnoinherit like -sc additionalacenotinparent 🙂
Hey Bob,
Let me restate what I think you are asking with an example… Say you have an ACE on a parent (or granparent) of SELF:FC that inherits to an object and you also have an explicit ACE on the object of SELF:FC, how do you filter the inherited SELF:FC as well as the explicit SELF:FC since it is a duplicate of the inherited ACE?
Or is this specific to ACEs that were applied only to the direct parent of the object and filtering those?
Or something else?
Either way, this level of filtering is not possible in AdFind. While I don’t see me putting this in AdFind, it may fit into a ACL tool I have been playing with so if you could explain what it is you are looking for and the benefit I will see about adding it to that tool.