All national institutions of churches, whether Jewish, Christian or Turkish, appear to me no other than human inventions, set up to terrify and enslave mankind, and monopolize power and profit.
-Thomas Paine
joeware - never stop exploring... :)
Information about joeware mixed with wild and crazy opinions...
4/11/2008
So anyone looking for hard drives????
http://www.microcenter.com/single_product_results.phtml?product_id=0273266
$199.99
Product Specifications
Formatted Capacity
1TB (1000GB)
Interface Type
Serial ATA-300
Buffer Size
16MB
Spindle Speed (RPM)
IntelliPower (5,400RPM to 7,200RPM)
Read Seek Time Average
8.9 ms
Data Transfer Rate: Buffer to Host
Up to 300MBps
Data Transfer Rate: Buffer to Disk
Up to 1,156Mbps
Ports and Connectors
7-pin Serial ATA Connector
Included Software
Drivers & Utilities
Manufacturer Warranty
3 Year Limited Warranty
Redmond Bound…
I will be out in Redmond and Seattle for the Microsoft MVP Summit from Sunday to Friday… So if I seem quiet… that would be why. 🙂
What is the correct answer in this situation???
How do you respond to someone who asks you “Will a WAN link being down affect a file copy going over it?”…
I mean you have the correct obvious technical response of “ummm YES!” but at this point, would that really help anything? Really???
Isn’t there a deeper more meaningful “life, the universe, and everything” type question that needs to be asked, answered, and responded to in this situation?
The response that immediately comes to my mind is “How exactly did you get to the point you are at now where you could ask that question in the first place? What schools, training, and series of managers failed you into the position you have found yourself?”.
I mean really… This is the basic point A and point B problem isn’t it? If point A is not connected to point B, it is going to be tough if not impossible to get between them. This isn’t just a computer thing, this is a life thing. If the bridge to cross the river is blown up while you are on it, is that going to affect you driving over it? Hmmm I don’t know, let me reach out and ask someone else…
Email Issues
I am smack in the middle of email issues so if anyone has sent me email in the last few days and I haven’t responded…. Well that would be the reason.
Anyone who sent me email prior to Wednesday and I haven’t responded… well I just haven’t gotten to that yet. :<>
Dick Cheney – Sunglasses – Nude woman!!!
I thought I would add my part to this ridiculous controversy which illustrates that some people have too much time on their hands… Maybe even me for taking time to have read the article and then post this…
This is a picture of Dick Cheney out fly fishing, this picture was posted on the White House web site I guess. I don’t know, I don’t ever go there, no one there I want to see or talk to. Anyway someone said that if you look closely at the reflection, you will see a naked woman… I looked at the picture, I don’t see it. I see a hand and a fishing pole. I see what someone with an overactive imagination and hasn’t been near a real naked woman in a while might consider a naked woman. You be the judge.
Even if there was a naked woman or 50 naked women in the reflection… so what?
4/10/2008
You gotta love Dwight
Misc quotes from Dwight in The Office…
Oh it is serious. Five citations and you’re looking at a violation. Four of those and you’ll receive a verbal warning. Keep it up, and you’re looking at a written warning. Two of those, that’ll land you in world of hurt. In the form of a disciplinary review, written up by me, and placed on the desk of my immediate superior.
In the Shrute family, we have a tradition where when the male has sex with another woman, he is rewarded with a bag of wild oats left on his doorstep by his parents. You can use those oats to make oatmeal, bread, whatever you want, I don’t care. They’re your oats.
Whenever I’m about to do something, I think, “Would an idiot do that?” And if they would, I do not do that thing.
As a farmer I know that when an animal is sick sometimes the right thing to do is put it out of it’s misery. With the electricity we are using to keep Meredith alive we could power a small fan for two days. You tell me what’s unethical.
Cool Little Application – Finds Duplicate Pictures
This application does some sort of analysis on the pictures, so even if the pictures have different names or sizes, it seems pretty good at finding duplicates…
http://www.softpedia.com/get/Multimedia/Graphic/Graphic-Others/SimilarImages.shtml
Just Installed the Final Version of Windows Live Writer
Well the bug in LiveWriter that I ran into in my last post about Security Descriptors got me to looking for a more recent version and what do you, they are now out of beta… So I have loaded the new version and here we go… Right off I can say this version starts up *much* faster and doesn’t seem to have the bug I ran into with the last version with the html code view post limit.
Let’s see what else…
Ohhh – table support, cool, I have needed that…
AdFind and Security Descriptors (this includes ACLs/Permissions) Part I
I hear this question all of the time… AdFind is cool, but can it display Security Descriptors in a friendly format… or more accurately most people say “can it display permissions in a way I can read??”
Well yes, AdFind can output security descriptors in a readable format, whether or not *you* can read it is, well, that is something for you to validate on your own. You can, if you want, let me know the results.
The fact is, I actually prefer the output of the Security Descriptors from AdFind than from say DSACLS. For a couple of reasons…
First, you aren’t accidentally screwing up and changing anything with AdFind… AdFind CANNOT change anything, it is purely read only. ON PURPOSE! No… “Oops I accidentally clicked on a button and hit OK instead of CANCEL”. It is READ ONLY. Again, what is it??? Read Only. You can give this tool to your mom and she can’t hurt anything. It is duller than a butter knife made from tofu.
Next I like that it is more tightly bound output… I can’t really explain what I mean by that but maybe you understand if you have seen the output from both tools and if not, I will show you the output somewhere below. When I look at the output from DSACLS I think chaotic and too spread out and infinitely painful to script around.
Next thing I like is that unlike DSACLS, AdFind will display *any* security descriptor attribute in AD, not just the nTSecurityDescriptor, so say you are one of the few people who have installed a product called Exchange, there is an attribute called msExchMailboxSecurityDescriptor – yes AdFind can display that as well.
Oh and something really cool… you can use any LDAP query you want to display the security descriptors of any object that matches the query. So you could use one command to dump the security descriptors of all OUs… or all Users with mailboxes… or all groups… or all objects with admincount=1, etc etc etc… Can’t do any of that with DSACLS. But then that wasn’t the goal of that tool when it was put together and there are things that I can’t do with AdFind and AdMod “yet”.
So quickly here is what DSACLS output looks like for anyone who isn’t familiar:
G:\blogfodder>dsacls dc=test,dc=loc
Access list:
Effective Permissions on this object are:
Allow TEST\\Domain Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow TEST\\Enterprise Admins FULL CONTROL
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
READ PROPERTY
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
LIST CONTENTS
Allow BUILTIN\\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow Everyone SPECIAL ACCESS
READ PROPERTY
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\\SYSTEM FULL CONTROL
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Domain Password & Lockout Policies
READ PROPERTY
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Other Domain Parameters (for use by SAM)
READ PROPERTY
Allow NT AUTHORITY\\Authenticated Users SPECIAL ACCESS for Other Domain Parameters (for use by SAM)
READ PROPERTY
Allow TEST\\Domain Controllers Replicating Directory Changes All
Allow TEST\\testgroup Monitor Active Directory Replication
Allow BUILTIN\\Administrators Replicating Directory Changes
Allow BUILTIN\\Administrators Replication Synchronization
Allow BUILTIN\\Administrators Manage Replication Topology
Allow BUILTIN\\Administrators Replicating Directory Changes All
Allow BUILTIN\\Incoming Forest Trust Builders Create Inbound Forest Trust
Allow NT AUTHORITY\\Authenticated Users Enable Per User Reversibly Encrypted Password
Allow NT AUTHORITY\\Authenticated Users Unexpire Password
Allow NT AUTHORITY\\Authenticated Users Update Password Not Required Bit
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS Replicating Directory Changes
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS Replication Synchronization
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS Manage Replication Topology
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\\Enterprise Admins FULL CONTROL
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
LIST CONTENTS
Allow BUILTIN\\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to group
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups
READ PROPERTY
Inherited to group
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups
READ PROPERTY
Inherited to computer
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups
READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information
READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information
READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership
READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information
READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions
READ PROPERTY
The command completed successfully
That is a pretty standard NC Head DACL, I think there is only one added ACE for testing something.
How does AdFind display that same info? Well it depends, I like to be a little flexible and it can output in several ways depending on what you want…
But first… I want to point out a couple of switches that may be useful to you if you aren’t the admin of your domain you are going to read info from. By default when you ask for the nTSecurityDescriptor, AD wants to return the entire security descriptor. Well if you don’t have certain rights, specifically manage auditing, you can’t retrieve the System ACL aka SACL or the Auditing information. They don’t want to give you info about what is being audited if you aren’t supposed to be managing it, it might give you a clue of what to try and attack and not be caught… So to get around this, they allow you to only ask for portions of the security descriptor, I put in a special switch to tell AdFind to ask for everything *but* the SACL, that switch is called -sdna which if you want to know, stands for Security Descriptor Non-Admin. You could also use the -nosacl switch which I added later to be consistent with some other security descriptor switches I added. So if you are a not an admin or running the tool as a normal user, use -sdna or -nosacl so get information back. If you do that, you will notice that anywhere below where the SACL is displayed, you will not have the SACL, make sense? Good…
First the default output:
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: {Security Descriptor}
1 Objects returned
As you can see, not all that helpful, so I added a basic decode option called -sddl (or -sddc for Security Descriptor De-Code) that looks like:
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa0
03049e2;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP
;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-90
20-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc
14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;f98340fb-7c5b-4cdb-a
00b-2ebdfa115a96;;S-1-5-21-91850410-1263060417-3577111226-2736)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608
;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07
-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c740736
0-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU
)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f5
41;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;
AU)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTL
OCRSDRCWDWO;;;SY)
>nTSecurityDescriptor: [SACL] AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa0
03049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)
1 Objects returned
That is a slightly cleaned up raw SDDL format which you can get info on here –> http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html. Note: Normally I would point at MSDN but it seems they have screwed it up yet again and it isn’t displaying pages properly. I think the whole MSDN site is a lab environment or something, it is broken a good amount of the time.
Anyway, this output is SDDL but it is cleaned up in that the OWNER, GROUP, DACL, and SACL are all broken out into their own lines for reading. Note that it probably looks pretty bad in the web browser window, it looks much better in a text file or on the screen if you have a sufficiently wide enough command prompt window (I set mine to 210 characters usually personally but even that isn’t really big enough for most security descriptors).
So now the next output decode option is a lot cleaner for most people. It is a slight upgrade from the SDDL format before and so I called the switch -sddl+ (or -sddc+):
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl+
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] AI
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;user;RU
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;DD
>nTSecurityDescriptor: [DACL] OA;;CR;Monitor Active Directory Replication;;S-1-5-21-91850410-1263060417-3577111226-2736
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Create Inbound Forest Trust;;S-1-5-32-557
>nTSecurityDescriptor: [DACL] OA;;RP;Domain Password & Lockout Policies;;RU
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;group;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;user;RU
>nTSecurityDescriptor: [DACL] OA;;CR;Enable Per User Reversibly Encrypted Password;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Unexpire Password;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Update Password Not Required Bit;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;ED
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;AU
>nTSecurityDescriptor: [DACL] A;;CCLCSWRPWPLOCRRCWDWO;;;DA
>nTSecurityDescriptor: [DACL] A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA
>nTSecurityDescriptor: [DACL] A;;RPRC;;;RU
>nTSecurityDescriptor: [DACL] A;CI;LC;;;RU
>nTSecurityDescriptor: [DACL] A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA
>nTSecurityDescriptor: [DACL] A;;RP;;;WD
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;ED
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;AU
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY
>nTSecurityDescriptor: [SACL] AI
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPOptions;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;DU
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;BA
>nTSecurityDescriptor: [SACL] AU;SA;WPWDWO;;;WD
1 Objects returned
That is all of the ACEs broken out one to a line in the order they are in the security descriptor. It is still in SDDL character encoding. For some of you that is fine, at least you can no scan through it. For others, that is still a bit cryptic so I have -sddl++ (and as you may guess -sddc++):
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl++
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;DD
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Monitor Active Directory Replication;;S-1-5-21-91850410-1263060417-3577111226-2736
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Create Inbound Forest Trust;;S-1-5-32-557
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Domain Password & Lockout Policies;;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Enable Per User Reversibly Encrypted Password;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Unexpire Password;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Update Password Not Required Bit;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;DA
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;EA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP][READ];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP];;;WD
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;ED
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;SY
>nTSecurityDescriptor: [SACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPOptions;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;DU
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;BA
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[WRT PROP][WRT PERMS][WRT OWNER];;;WD
1 Objects returned
Which is far more verbose but still does decode the SIDs so if you want to do that, use -resolvesids switch in addition to the format you want, for brevity I will go back to -sddl+ which is the one I like the best anyway.
G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl+ -resolvesids
AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007
Using server: r2dc1.test.loc:389
Directory: Windows Server 2003
dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BUILTIN\\Administrators
>nTSecurityDescriptor: [GROUP] BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] AI
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;TEST\\Domain Controllers
>nTSecurityDescriptor: [DACL] OA;;CR;Monitor Active Directory Replication;;TEST\\testgroup
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;computer;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;group;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;user;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Create Inbound Forest Trust;;BUILTIN\Incoming Forest Trust Builders
>nTSecurityDescriptor: [DACL] OA;;RP;Domain Password & Lockout Policies;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;group;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;CR;Enable Per User Reversibly Encrypted Password;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Unexpire Password;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Update Password Not Required Bit;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] A;;CCLCSWRPWPLOCRRCWDWO;;;TEST\\Domain Admins
>nTSecurityDescriptor: [DACL] A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;TEST\\Enterprise Admins
>nTSecurityDescriptor: [DACL] A;;RPRC;;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CI;LC;;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] A;;RP;;;Everyone
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;NT AUTHORITY\\SYSTEM
>nTSecurityDescriptor: [SACL] AI
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPLink;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPOptions;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;TEST\\Domain Users
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;BUILTIN\\Administrators
>nTSecurityDescriptor: [SACL] AU;SA;WPWDWO;;;Everyone
1 Objects returned
Oh another option which may be handy… -list
I would show you what that looks like but it seems I have hit a bug in this version of LiveWriter which seems to be that I have reached the max post length when looking at the post in HTML code mode which is what I have to do to insert text with PRE tags…. What the -list switch does is rips off the header and and the attribute labels and cleans up the output even more for you. Try it. 🙂
So anyway… cool yeah?
I think that should conclude the first post on AdFind and Security Descriptors as it is already pretty long. I will write another post before too long and go into the various switches available for outputting the security descriptors in various ways with various options. In the meanwhile if you are very curious, take a peek at adfind /?? and adfind /sc?
Also does anyone have any specific question about AdFind and its ability to display security descriptors?
joe
[joeware – never stop exploring… :) is proudly powered by WordPress.]
