Another common thing that people want to do from the command line with AdFind | AdMod is to clear the “Protect object from accidental deletion” setting that is implemented with a deny delete ACE on the object, specifically
[DACL] DENY;;[DEL TREE][DEL];;;Everyone
As mentioned previously, the Security Descriptor is a BLOB so you have to deal with an whole DACL at once. This is a pretty easy mod though.
You simply have to remove the “(D;;DTSD;;;WD)” portion of the SDDL.
That looks like:
adfind -b <BASE> –f <FILTER> ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -csvmvdelim "|" -adcsv | admod SD##ntsecuritydescriptor::{{.:r:(D;;DTSD;;;WD):}}
So for example:
[Thu 07/09/2020 14:46:27.47]
E:\DEV\cpp\vs\AdMod\Debug>
[Thu 07/09/2020 14:49:18.38]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl
AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc
dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] DENY;;[DEL TREE][DEL];;;Everyone
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
1 Objects returned
[Thu 07/09/2020 14:50:50.40]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -csvmvdelim "|" -adcsv | admod SD##ntsecuritydescriptor::{{.:r:(D;;DTSD;;;WD):}}
AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) June 2020
DN Count: 1
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Modifying specified objects…
DN: OU=tobedeleted,DC=lockout,DC=test,DC=loc…
The command completed successfully
[Thu 07/09/2020 14:51:05.75]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl
AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc
dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
1 Objects returned
And what if you want to put it back?
[Thu 07/09/2020 14:51:15.15]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl
AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc
dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
1 Objects returned
[Thu 07/09/2020 14:53:08.62]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted ntsecuritydescriptor -rawsddlexpl -rawsddlnl -onlydacl -csvmvdelim "|" -adcsv | admod SD##ntsecuritydescriptor::{{.:r:AI(:AI(D;;DTSD;;;WD)(}}
AdMod V01.21.00cppBETA Joe Richards (support@joeware.net) June 2020
DN Count: 1
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Modifying specified objects…
DN: OU=tobedeleted,DC=lockout,DC=test,DC=loc…
The command completed successfully
[Thu 07/09/2020 14:53:16.31]
E:\DEV\cpp\vs\AdMod\Debug>adfind -f ou=tobedeleted -jsdenl
AdFind V01.53.00cppBETA Joe Richards (support@joeware.net) May 2020
Using server: LO-DC4.lockout.test.loc:389
Directory: Windows Server 2019 (10.0.17134.1)
Base DN: DC=lockout,DC=test,DC=loc
dn:OU=tobedeleted,DC=lockout,DC=test,DC=loc
[OWNER] LOCKOUT\Domain Admins
[GROUP] LOCKOUT\Domain Admins
[DACL] (FLAGS:INHERIT)
[DACL] DENY;;[DEL TREE][DEL];;;Everyone
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Printer Operators
[DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators
[DACL] ALLOW;;[FC];;;LOCKOUT\Domain Admins
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users
[DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
1 Objects returned
joe
