joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

How Do I Make an Object’s Security Descriptor Inheritable and also while I am at it… resetting from AdminSDHolder…

by @ 12:18 pm on 7/9/2020. Filed under tech

I recently received an email of:

<SNIP>

I have a bunch of previously sensitive&protected accounts where I like to enable inheritance..

Is it possible to remove protected inheritance flag with admod?

<SNIP>

The quick answer to the direct question is yes, there is an easy way to turn inheritance back on for an arbitrary object or set of objects with AdFind|Admod.

You need to send the current Security Descriptor of the object into AdMod and ask it to tweak the DACL flags. Well really you only need the Explicit DACL portion of the Security Descriptor, not the rest. But it works with it nibbled down to just that or not.

So something like:

adfind -s <base> -f <filter> ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::{{.:$r$D:PAI$D:AI}} -exterr

For example:

adfind -default -f "&(objectclass=user)(admincount=1)" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::{{.:$r$D:PAI$D:AI}} -exterr

The reason you have to pass the current security descriptor (or at least the DACL portion of the Security Descriptor) is because the Security Descriptor is a BLOB (chunk of binary) and each ACE is buried somewhere in that BLOB. You cannot just ask AD to add or remove an ACE or update just the flags so you have to update the entire DACL portion of the Security Descriptor at a minimum.

So that question is answered, or is it? As you think about this a little longer, the adminSDHolder functionality doesn’t just protect the DACL of an object, it also rewrites the Explicit ACEs as well. Otherwise, by default, Account Operators[1] could update Domain Admin accounts.

Luckily there is a place where the correct default DACL is kept for most objectclasses, the schema. That is the defaultSecurityDescriptor attribute on the classSchema objectclass definition object. The defaultSecurityDescriptor can be a full Security Descriptor but in only a few cases does it, for example, list a value for the Owner, Group, or SACL by default (not that you can’t modify that to your heart’s delight).

Example of defaultSecurityDescriptor:

[Tue 07/07/2020 21:52:16.82]
E:\DEV\cpp\vs\AdMod\Debug>adfind -sc s:user defaultsecuritydescriptor

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=User,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> defaultSecurityDescriptor: D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;WPRP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)

1 Objects returned

Broken out that looks like:

[Tue 07/07/2020 22:01:56.84]
E:\DEV\cpp\vs\AdMod\Debug>adfind -schema -f ldapdisplayname=user defaultsecuritydescriptor -sddl+

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=User,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> defaultSecurityDescriptor: [DACL]
>defaultSecurityDescriptor: [DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA
> defaultSecurityDescriptor: [DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY
> defaultSecurityDescriptor: [DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO
> defaultSecurityDescriptor: [DACL] A;;RPLCLORC;;;PS
> defaultSecurityDescriptor: [DACL] OA;;CR;Change Password;;PS
> defaultSecurityDescriptor: [DACL] OA;;CR;Send As;;PS
> defaultSecurityDescriptor: [DACL] OA;;CR;Receive As;;PS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;Personal Information;;PS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;Phone and Mail Options;;PS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;Web Information;;PS
> defaultSecurityDescriptor: [DACL] OA;;RP;Remote Access Information;;RS
> defaultSecurityDescriptor: [DACL] OA;;RP;Account Restrictions;;RS
> defaultSecurityDescriptor: [DACL] OA;;RP;Group Membership;;RS
> defaultSecurityDescriptor: [DACL] A;;RC;;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;General Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;Personal Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;Web Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;RP;Public Information;;AU
> defaultSecurityDescriptor: [DACL] OA;;CR;Change Password;;WD
> defaultSecurityDescriptor: [DACL] OA;;RP;Logon Information;;RS
> defaultSecurityDescriptor: [DACL] OA;;RPWP;userCertificate;;CA
> defaultSecurityDescriptor: [DACL] OA;;RP;tokenGroupsGlobalAndUniversal;;S-1-5-32-560
> defaultSecurityDescriptor: [DACL] OA;;WPRP;terminalServer;;S-1-5-32-561
> defaultSecurityDescriptor: [DACL] OA;;WPRP;Terminal Server License Server;;S-1-5-32-561

1 Objects returned

Broken out even more…

[Tue 07/07/2020 22:07:32.31]
E:\DEV\cpp\vs\AdMod\Debug>adfind -schema -f ldapdisplayname=user defaultsecuritydescriptor -sddl++ -resolvesids

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc

dn:CN=User,CN=Schema,CN=Configuration,DC=lockout,DC=test,DC=loc
> defaultSecurityDescriptor: [DACL] (FLAGS:)
> defaultSecurityDescriptor: [DACL] ALLOW;;[FC];;;Non-specific Domain Admins
> defaultSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
> defaultSecurityDescriptor: [DACL] ALLOW;;[FC];;;BUILTIN\Account Operators
> defaultSecurityDescriptor: [DACL] ALLOW;;[READ PROP][LIST CHILDREN][LIST OBJ][READ];;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Change Password;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Send As;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Receive As;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Personal Information;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Phone and Mail Options;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Web Information;;NT AUTHORITY\SELF
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Remote Access Information;;Non-specific RAS Servers Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Account Restrictions;;Non-specific RAS Servers Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Group Membership;;Non-specific RAS Servers Group
>defaultSecurityDescriptor: [DACL] ALLOW;;[READ];;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];General Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Personal Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Web Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Public Information;;NT AUTHORITY\Authenticated Users
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Change Password;;Everyone
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Logon Information;;Non-specific RAS Servers Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP][WRT PROP];userCertificate;;Non-specific Certificate Server Admins
>defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];tokenGroupsGlobalAndUniversal;;BUILTIN\Windows Authorization Access Group
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP][READ PROP];terminalServer;;BUILTIN\Terminal Server License Servers
> defaultSecurityDescriptor: [DACL] OBJ ALLOW;;[WRT PROP][READ PROP];Terminal Server License Server;;BUILTIN\Terminal Server License Servers

1 Objects returned

So this is cool, besides the missing DACL flags (did you catch that in the output?) it seems like we should just be able to plug that into AdMod and run with it. And in a single domain forest with a domain joined machine you absolutely can. In a multi-domain forest it gets a little trickier, so don’t do it yet. At least if you want the ACEs highlighted in red to possibly be wrong.

Full stop! So joe… I have a single domain forest, how do I just do that, I don’t care about the multi-domain forests… 

I would say the simplest way straight away without creating additional objects (more on that later) is to get the default security from the user objectclass corrected with DACL flags and into a format that you can use…

for /f "tokens=1,2 delims=," %i in (‘adfind -sc s:* -af "(ldapdisplayname=user)" ldapdisplayname "defaultsecuritydescriptor:s/D:/D:AI/" -nodn -jcsv2 -csvmvdelim $’) do set DSD_%i=%j

Which leaves you with an env var of

[Tue 07/07/2020 22:08:51.68]
E:\DEV\cpp\vs\AdMod\Debug>set dsd_user
DSD_user=D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;WPRP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)

and then a simple command of

adfind –b <BASE> –f <filter> -dsq | admod SD##ntsecuritydescriptor::%DSD_user% -exterr

will set the security descriptors back to default and enable inheritance.

adfind -default -f "&(objectclass=user)(admincount=1)" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::%DSD_user% -exterr

Oh and while we are here, we might as well clear admincount as well…

adfind -default -f "&(objectclass=user)(admincount=1)" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -adcsv | admod SD##ntsecuritydescriptor::%DSD_user% admincount:- -exterr

Cool! But why the domain joined machine requirement and what is going on that is so different for a multi-domain forest???

The issue goes back to the same issue for both which is related to the defaultSecurityDescriptor, specifically that it uses (correctly of course) the generic form of several of the security principals, most critically (IMO), the Domain Admins security principal of DA.

For example:

[DACL] A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA

Which is

[DACL] ALLOW;;[FC];;;Non-specific Domain Admins

The underlying function used by AdMod to handle Security Descriptors is ConvertStringSecurityDescriptorToSecurityDescriptor and it doesn’t allow you to specify a remote machine to for the SID expansion so if you aren’t in the same domain (in another domain or not in any domain) then it doesn’t know how to resolve DA (and also RS and CA) to a proper SID for the given domain to put into the Security Descriptor BLOB and it results in EITHER the wrong Domain Admin SID being stamped on the object in the case of being in a different domain or an error of “The security ID structure is invalid.” if the machine is not in any domain because those principals aren’t resolveable on a standalone machine. MSFT could have easily fixed that by allowing you to specify a resolver machine in the API call but alas, no such luck. If you want to handle this you have to manually unpack, convert the non-specific stuff to specific SIDs, and then repack the SDDL and use that.

AdMod does not currently (and unfortunately may or may not get it in the future) have the ability to correct this shortcoming in the API call. I am thinking about ways to handle it in the code itself but right now the best I have is to use “template” objects sort of like AdminSDHolder. Where you have objects defined that have the DACL (or full Security Descriptor) you want applied. You can even do this by groups, say certain groups will mean you get certain DACLs applied to the object and then have a service that is applying that regularly… A la poor man’s AdminSDHolder.

Anyway, this is about cleaning up old AdminSDHolder impacted objects likely because you realized you had too many admins and start cleaning stuff up (kudos to you btw).

So this is an example of some common template objects:

[Wed 07/08/2020 15:30:30.39]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f cn=sdtemplates -dsq | adfind -s one -dn

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)

dn:CN=contact,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
dn:CN=group,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
dn:CN=organizationalunit,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
dn:CN=user,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc

4 Objects returned

And an expanded user template showing the DACL.

[Wed 07/08/2020 15:32:09.30]
E:\DEV\cpp\vs\AdMod\Debug>adfind -system -rb CN=SDTemplates -f cn=user -jsdenl -onlydacl

AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020

Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc

dn:CN=user,CN=SDTemplates,CN=System,DC=lockout,DC=test,DC=loc
[DACL] (FLAGS:INHERIT)
[DACL] OBJ ALLOW;;[READ PROP];Account Restrictions;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP];Logon Information;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP];Group Membership;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP];Remote Access Information;;LOCKOUT\RAS and IAS Servers
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];userCertificate;;LOCKOUT\Cert Publishers
[DACL] OBJ ALLOW;;[READ PROP];tokenGroupsGlobalAndUniversal;;BUILTIN\Windows Authorization Access Group
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];terminalServer;;BUILTIN\Terminal Server License Servers
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Terminal Server License Server;;BUILTIN\Terminal Server License Servers
[DACL] OBJ ALLOW;;[CTL];Change Password;;Everyone
[DACL] OBJ ALLOW;;[CTL];Change Password;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[CTL];Send As;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[CTL];Receive As;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[READ PROP];General Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP];Public Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP];Personal Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP];Web Information;;NT AUTHORITY\Authenticated Users
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Personal Information;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Phone and Mail Options;;NT AUTHORITY\SELF
[DACL] OBJ ALLOW;;[READ PROP][WRT PROP];Web Information;;NT AUTHORITY\SELF
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[FC];;;BUILTIN\Account Operators
[DACL] ALLOW;;[READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\SELF
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM

1 Objects returned

and note, that just like AdminSDHolder, it is simply a container object. You could use an actual user object if you wanted but then someone somewhere should be trying to clean that up when it seems inactive for a not too long period of time (weeks to months at most). I mean they better be, if you aren’t looking for and cleaning up inactive objects you have really really bad security. And not don’t just make it non-expiring, that is really really bad security too. In fact, if you have any userids that are set up as non-expiring, just expect that if I saw it I would say this is really really bad security.

So the easiest model is just to copy the explicit part of the DACL from the template object from a given domain and apply it to the user objects you need to “reset”.

So first get the DACL string

adfind -system -rb CN=SDTemplates -f cn=user ntsecuritydescriptor -rawsddlexpl -rawsddlnl –onlydacl –list

and copy the output which in this case would be:

D:AI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

and then apply it to a given object

admod –b <objectDN> SD##ntsecuritydescriptor::D:AI(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-3057091654-2329156990-3385121676-553)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3057091654-2329156990-3385121676-517)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU)(OA;;RP;77b5b886-944a-11d1-aebd-0000f80367c1;;AU)(OA;;RP;e45795b3-9455-11d1-aebd-0000f80367c1;;AU)(OA;;RPWP;77b5b886-944a-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b2-9455-11d1-aebd-0000f80367c1;;PS)(OA;;RPWP;e45795b3-9455-11d1-aebd-0000f80367c1;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3057091654-2329156990-3385121676-512)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AO)(A;;RC;;;AU)(A;;LCRPLORC;;;PS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)

Boom, the object has been set to inheriting and the value of the defaultSecurityDescriptor specific to the domain in question.

You could do a group of accounts at once if you can feed the DACL in to the AdFind|AdMod pipeline, one such way to do it would be with a for /f loop like so:

for /f %i in (‘adfind -system -rb "CN=SDTemplates" -f "cn=user" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -list’) do adfind -f "name=oldadmin*" -dsq | admod SD##ntsecuritydescriptor::%i -exterr

That command pulls the DACL and then performs a normal AdFind|AdMod pipeline and feeds in the DACL so you don’t have to copy and paste it.

You could expand that doing it for an entire multidomain forest with (assuming you created similar template objects in each domain):

for /f %i in (‘adfind -sc domainlist’) do for /f %j in (‘adfind -h %i -system -rb "CN=SDTemplates" -f "cn=user" ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -list’) do adfind -h %i -f "name=oldadmin*" -dsq | admod SD##ntsecuritydescriptor::%j -exterr

And if you want to clear the admincount attribute, don’t forget to add the admincount:- to it as well.

Note this is a good way to specify the standard owner for objects as well if you like along with the DACL. The owner is critical because the owner has special powers over the objects by default. I highly recommend, unless you are using AD quotas, to specify standard owners for objects so you can very closely control who can do what to all objects. Especially any elevated rights objects.

   joe

[1] Speaking of Account Operators, you aren’t still using that are you? If you are, STOP. That was for NT4 and hybrid NT4/2000 mode. Not pure Windows Active Directory domains.

Rating 4.50 out of 5

Comments are closed.

[joeware – never stop exploring… :) is proudly powered by WordPress.]