joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

4/11/2008

What is the correct answer in this situation???

by @ 7:11 pm. Filed under humour

How do you respond to someone who asks you “Will a WAN link being down affect a file copy going over it?”

 

I mean you have the correct obvious technical response of “ummm YES!” but at this point, would that really help anything? Really???

Isn’t there a deeper more meaningful “life, the universe, and everything” type question that needs to be asked, answered, and responded to in this situation?

The response that immediately comes to my mind is “How exactly did you get to the point you are at now where you could ask that question in the first place? What schools, training, and series of managers failed you into the position you have found yourself?”.

I mean really… This is the basic point A and point B problem isn’t it? If point A is not connected to point B, it is going to be tough if not impossible to get between them. This isn’t just a computer thing, this is a life thing. If the bridge to cross the river is blown up while you are on it, is that going to affect you driving over it? Hmmm I don’t know, let me reach out and ask someone else…

Rating 3.00 out of 5

Email Issues

by @ 7:09 pm. Filed under general

I am smack in the middle of email issues so if anyone has sent me email in the last few days and I haven’t responded…. Well that would be the reason.

 

Anyone who sent me email prior to Wednesday and I haven’t responded… well I just haven’t gotten to that yet. :<>

Rating 3.00 out of 5

Dick Cheney – Sunglasses – Nude woman!!!

by @ 7:09 pm. Filed under general

I thought I would add my part to this ridiculous controversy which illustrates that some people have too much time on their hands… Maybe even me for taking time to have read the article and then post this…

This is a picture of Dick Cheney out fly fishing, this picture was posted on the White House web site I guess. I don’t know, I don’t ever go there, no one there I want to see or talk to. Anyway someone said that if you look closely at the reflection, you will see a naked woman… I looked at the picture, I don’t see it. I see a hand and a fishing pole. I see what someone with an overactive imagination and hasn’t been near a real naked woman in a while might consider a naked woman. You be the judge.

Even if there was a naked woman or 50 naked women in the reflection… so what?

 

Rating 3.50 out of 5

4/10/2008

You gotta love Dwight

by @ 5:04 pm. Filed under quotes

Misc quotes from Dwight in The Office…

 

Oh it is serious. Five citations and you’re looking at a violation. Four of those and you’ll receive a verbal warning. Keep it up, and you’re looking at a written warning. Two of those, that’ll land you in world of hurt. In the form of a disciplinary review, written up by me, and placed on the desk of my immediate superior.

 

In the Shrute family, we have a tradition where when the male has sex with another woman, he is rewarded with a bag of wild oats left on his doorstep by his parents. You can use those oats to make oatmeal, bread, whatever you want, I don’t care. They’re your oats.

 

Whenever I’m about to do something, I think, “Would an idiot do that?” And if they would, I do not do that thing.

 

As a farmer I know that when an animal is sick sometimes the right thing to do is put it out of it’s misery. With the electricity we are using to keep Meredith alive we could power a small fan for two days. You tell me what’s unethical.

Rating 3.00 out of 5

Cool Little Application – Finds Duplicate Pictures

by @ 5:26 am. Filed under general

This application does some sort of analysis on the pictures, so even if the pictures have different names or sizes, it seems pretty good at finding duplicates…

http://www.softpedia.com/get/Multimedia/Graphic/Graphic-Others/SimilarImages.shtml

Rating 3.00 out of 5

Just Installed the Final Version of Windows Live Writer

by @ 4:42 am. Filed under tech

Well the bug in LiveWriter that I ran into in my last post about Security Descriptors got me to looking for a more recent version and what do you, they are now out of beta… So I have loaded the new version and here we go… Right off I can say this version starts up *much* faster and doesn’t seem to have the bug I ran into with the last version with the html code view post limit.

Let’s see what else…

Ohhh – table support, cool, I have needed that…

Rating 3.00 out of 5

AdFind and Security Descriptors (this includes ACLs/Permissions) Part I

by @ 4:00 am. Filed under tech

I hear this question all of the time… AdFind is cool, but can it display Security Descriptors in a friendly format… or more accurately most people say “can it display permissions in a way I can read??”

Well yes, AdFind can output security descriptors in a readable format, whether or not *you* can read it is, well, that is something for you to validate on your own. You can, if you want, let me know the results.

The fact is, I actually prefer the output of the Security Descriptors from AdFind than from say DSACLS. For a couple of reasons…

First, you aren’t accidentally screwing up and changing anything with AdFind… AdFind CANNOT change anything, it is purely read only. ON PURPOSE! No… “Oops I accidentally clicked on a button and hit OK instead of CANCEL”. It is READ ONLY. Again, what is it??? Read Only. You can give this tool to your mom and she can’t hurt anything. It is duller than a butter knife made from tofu.

Next I like that it is more tightly bound output… I can’t really explain what I mean by that but maybe you understand if you have seen the output from both tools and if not, I will show you the output somewhere below. When I look at the output from DSACLS I think chaotic and too spread out and infinitely painful to script around.

Next thing I like is that unlike DSACLS, AdFind will display *any* security descriptor attribute in AD, not just the nTSecurityDescriptor, so say you are one of the few people who have installed a product called Exchange, there is an attribute called msExchMailboxSecurityDescriptor – yes AdFind can display that as well.

Oh and something really cool… you can use any LDAP query you want to display the security descriptors of any object that matches the query. So you could use one command to dump the security descriptors of all OUs… or all Users with mailboxes… or all groups… or all objects with admincount=1, etc etc etc… Can’t do any of that with DSACLS. But then that wasn’t the goal of that tool when it was put together and there are things that I can’t do with AdFind and AdMod “yet”.

 

 

So quickly here is what DSACLS output looks like for anyone who isn’t familiar:

G:\blogfodder>dsacls dc=test,dc=loc
Access list:
Effective Permissions on this object are:
Allow TEST\\Domain Admins                          SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow TEST\\Enterprise Admins                      FULL CONTROL
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  READ PROPERTY
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                  LIST CONTENTS
Allow BUILTIN\\Administrators                      SPECIAL ACCESS
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS
Allow Everyone                                    SPECIAL ACCESS
                                                  READ PROPERTY
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow NT AUTHORITY\\Authenticated Users            SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Allow NT AUTHORITY\\SYSTEM                         FULL CONTROL
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Domain Password & Lockout Policies
                                                  READ PROPERTY
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Other Domain Parameters (for use by SAM)
                                                  READ PROPERTY
Allow NT AUTHORITY\\Authenticated Users            SPECIAL ACCESS for Other Domain Parameters (for use by SAM)
                                                  READ PROPERTY
Allow TEST\\Domain Controllers                     Replicating Directory Changes All
Allow TEST\\testgroup                              Monitor Active Directory Replication
Allow BUILTIN\\Administrators                      Replicating Directory Changes
Allow BUILTIN\\Administrators                      Replication Synchronization
Allow BUILTIN\\Administrators                      Manage Replication Topology
Allow BUILTIN\\Administrators                      Replicating Directory Changes All
Allow BUILTIN\\Incoming Forest Trust Builders      Create Inbound Forest Trust
Allow NT AUTHORITY\\Authenticated Users            Enable Per User Reversibly Encrypted Password
Allow NT AUTHORITY\\Authenticated Users            Unexpire Password
Allow NT AUTHORITY\\Authenticated Users            Update Password Not Required Bit
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS  Replicating Directory Changes
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS  Replication Synchronization
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS  Manage Replication Topology

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\\Enterprise Admins                      FULL CONTROL
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                  LIST CONTENTS
Allow BUILTIN\\Administrators                      SPECIAL ACCESS
                                                  DELETE
                                                  READ PERMISSONS
                                                  WRITE PERMISSIONS
                                                  CHANGE OWNERSHIP
                                                  CREATE CHILD
                                                  LIST CONTENTS
                                                  WRITE SELF
                                                  WRITE PROPERTY
                                                  READ PROPERTY
                                                  LIST OBJECT
                                                  CONTROL ACCESS

Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Inherited to group
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS
                                                  READ PERMISSONS
                                                  LIST CONTENTS
                                                  READ PROPERTY
                                                  LIST OBJECT
Inherited to user
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups
                                                  READ PROPERTY
Inherited to group
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups
                                                  READ PROPERTY
Inherited to computer
Allow NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS  SPECIAL ACCESS for tokenGroups
                                                  READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information
                                                  READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Remote Access Information
                                                  READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information
                                                  READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for General Information
                                                  READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership
                                                  READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Group Membership
                                                  READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information
                                                  READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Logon Information
                                                  READ PROPERTY
Inherited to user
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions
                                                  READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\\Pre-Windows 2000 Compatible Access  SPECIAL ACCESS for Account Restrictions
                                                  READ PROPERTY
The command completed successfully
  

That is a pretty standard NC Head DACL, I think there is only one added ACE for testing something.

How does AdFind display that same info? Well it depends, I like to be a little flexible and it can output in several ways depending on what you want…

But first… I want to point out a couple of switches that may be useful to you if you aren’t the admin of your domain you are going to read info from. By default when you ask for the nTSecurityDescriptor, AD wants to return the entire security descriptor. Well if you don’t have certain rights, specifically manage auditing, you can’t retrieve the System ACL aka SACL or the Auditing information. They don’t want to give you info about what is being audited if you aren’t supposed to be managing it, it might give you a clue of what to try and attack and not be caught… So to get around this, they allow you to only ask for portions of the security descriptor, I put in a special switch to tell AdFind to ask for everything *but* the SACL, that switch is called -sdna which if you want to know, stands for Security Descriptor Non-Admin. You could also use the -nosacl switch which I added later to be consistent with some other security descriptor switches I added. So if you are a not an admin or running the tool as a normal user, use -sdna or -nosacl so get information back. If you do that, you will notice that anywhere below where the SACL is displayed, you will not have the SACL, make sense? Good…

 

First the default output:

G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003

dn:dc=test,dc=loc
>nTSecurityDescriptor: {Security Descriptor}


1 Objects returned

As you can see, not all that helpful, so I added a basic decode option called -sddl (or -sddc for Security Descriptor De-Code) that looks like:

G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003

dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL]  AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa0
03049e2;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP
;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-90
20-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc
14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;f98340fb-7c5b-4cdb-a
00b-2ebdfa115a96;;S-1-5-21-91850410-1263060417-3577111226-2736)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608
;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07
-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c740736
0-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU
)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f5
41;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;
AU)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTL
OCRSDRCWDWO;;;SY)
>nTSecurityDescriptor: [SACL]  AI(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa0
03049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)


1 Objects returned

That is a slightly cleaned up raw SDDL format which you can get info on here –> http://www.washington.edu/computing/support/windows/UWdomains/SDDL.html. Note: Normally I would point at MSDN but it seems they have screwed it up yet again and it isn’t displaying pages properly. I think the whole MSDN site is a lab environment or something, it is broken a good amount of the time.

Anyway, this output is SDDL but it is cleaned up in that the OWNER, GROUP, DACL, and SACL are all broken out into their own lines for reading. Note that it probably looks pretty bad in the web browser window, it looks much better in a text file or on the screen if you have a sufficiently wide enough command prompt window (I set mine to 210 characters usually personally but even that isn’t really big enough for most security descriptors).

So now the next output decode option is a lot cleaner for most people. It is a slight upgrade from the SDDL format before and so I called the switch -sddl+ (or -sddc+):

G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl+

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003

dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] AI
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;user;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;user;RU
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;DD
>nTSecurityDescriptor: [DACL] OA;;CR;Monitor Active Directory Replication;;S-1-5-21-91850410-1263060417-3577111226-2736
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;BA
>nTSecurityDescriptor: [DACL] OA;;CR;Create Inbound Forest Trust;;S-1-5-32-557
>nTSecurityDescriptor: [DACL] OA;;RP;Domain Password & Lockout Policies;;RU
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;group;RU
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;user;RU
>nTSecurityDescriptor: [DACL] OA;;CR;Enable Per User Reversibly Encrypted Password;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Unexpire Password;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Update Password Not Required Bit;;AU
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;ED
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;ED
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;AU
>nTSecurityDescriptor: [DACL] A;;CCLCSWRPWPLOCRRCWDWO;;;DA
>nTSecurityDescriptor: [DACL] A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;EA
>nTSecurityDescriptor: [DACL] A;;RPRC;;;RU
>nTSecurityDescriptor: [DACL] A;CI;LC;;;RU
>nTSecurityDescriptor: [DACL] A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA
>nTSecurityDescriptor: [DACL] A;;RP;;;WD
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;ED
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;AU
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY
>nTSecurityDescriptor: [SACL] AI
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPOptions;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;DU
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;BA
>nTSecurityDescriptor: [SACL] AU;SA;WPWDWO;;;WD


1 Objects returned

That is all of the ACEs broken out one to a line in the order they are in the security descriptor. It is still in SDDL character encoding. For some of you that is fine, at least you can no scan through it. For others, that is still a bit cryptic so I have -sddl++ (and as you may guess -sddc++):

G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl++

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003

dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BA
>nTSecurityDescriptor: [GROUP] BA
>nTSecurityDescriptor: [DACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;DD
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Monitor Active Directory Replication;;S-1-5-21-91850410-1263060417-3577111226-2736
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;computer;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;group;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;user;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BA
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Create Inbound Forest Trust;;S-1-5-32-557
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Domain Password & Lockout Policies;;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;RU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Enable Per User Reversibly Encrypted Password;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Unexpire Password;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Update Password Not Required Bit;;AU
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;ED
>nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;DA
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;EA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP][READ];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;RU
>nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BA
>nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP];;;WD
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;ED
>nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;AU
>nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;SY
>nTSecurityDescriptor: [SACL] (FLAGS:INHERIT)
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPLink;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPOptions;organizationalUnit;WD
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;DU
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;BA
>nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[WRT PROP][WRT PERMS][WRT OWNER];;;WD


1 Objects returned

Which is far more verbose but still does decode the SIDs so if you want to do that, use -resolvesids switch in addition to the format you want, for brevity I will go back to -sddl+ which is the one I like the best anyway.

G:\blogfodder>adfind -b dc=test,dc=loc -s base ntsecuritydescriptor -sddl+ -resolvesids

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: r2dc1.test.loc:389
Directory: Windows Server 2003

dn:dc=test,dc=loc
>nTSecurityDescriptor: [OWNER] BUILTIN\\Administrators
>nTSecurityDescriptor: [GROUP] BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] AI
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Account Restrictions;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Logon Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Group Membership;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;General Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;Remote Access Information;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;TEST\\Domain Controllers
>nTSecurityDescriptor: [DACL] OA;;CR;Monitor Active Directory Replication;;TEST\\testgroup
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;computer;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;group;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;CIIO;RP;tokenGroups;user;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes All;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] OA;;CR;Create Inbound Forest Trust;;BUILTIN\Incoming Forest Trust Builders
>nTSecurityDescriptor: [DACL] OA;;RP;Domain Password & Lockout Policies;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;inetOrgPerson;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;group;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;CIIO;LCRPLORC;;user;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] OA;;CR;Enable Per User Reversibly Encrypted Password;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Unexpire Password;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Update Password Not Required Bit;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] OA;;CR;Replicating Directory Changes;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Replication Synchronization;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;CR;Manage Replication Topology;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] OA;;RP;Other Domain Parameters (for use by SAM);;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] A;;CCLCSWRPWPLOCRRCWDWO;;;TEST\\Domain Admins
>nTSecurityDescriptor: [DACL] A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;TEST\\Enterprise Admins
>nTSecurityDescriptor: [DACL] A;;RPRC;;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CI;LC;;;BUILTIN\\Pre-Windows 2000 Compatible Access
>nTSecurityDescriptor: [DACL] A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BUILTIN\\Administrators
>nTSecurityDescriptor: [DACL] A;;RP;;;Everyone
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\\ENTERPRISE DOMAIN CONTROLLERS
>nTSecurityDescriptor: [DACL] A;;LCRPLORC;;;NT AUTHORITY\\Authenticated Users
>nTSecurityDescriptor: [DACL] A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;NT AUTHORITY\\SYSTEM
>nTSecurityDescriptor: [SACL] AI
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPLink;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] OU;CISA;WP;gPOptions;organizationalUnit;Everyone
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;TEST\\Domain Users
>nTSecurityDescriptor: [SACL] AU;SA;CR;;;BUILTIN\\Administrators
>nTSecurityDescriptor: [SACL] AU;SA;WPWDWO;;;Everyone


1 Objects returned

Oh another option which may be handy… -list

I would show you what that looks like but it seems I have hit a bug in this version of LiveWriter which seems to be that I have reached the max post length when looking at the post in HTML code mode which is what I have to do to insert text with PRE tags…. What the -list switch does is rips off the header and and the attribute labels and cleans up the output even more for you. Try it. 🙂

 

So anyway… cool yeah?

I think that should conclude the first post on AdFind and Security Descriptors as it is already pretty long. I will write another post before too long and go into the various switches available for outputting the security descriptors in various ways with various options. In the meanwhile if you are very curious, take a peek at adfind /?? and adfind /sc?

Also does anyone have any specific question about AdFind and its ability to display security descriptors?

 

 

 

 

   joe

Rating 3.00 out of 5

4/9/2008

Risk…

by @ 7:00 am. Filed under quotes

Only those who risk going too far can possibly find out how far they can go.”

                  –T.S. Eliot

Rating 3.00 out of 5

4/8/2008

DEC 2009

by @ 7:00 am. Filed under tech

Will be in Vegas on March 22-25…

🙂

 

DEC 2009 Europe will be in Europe in September 2009.

 

Speaking of DEC Europe, how many people go to that that don’t go to DEC USA? And of those, how many are interested in having Dean and I run around saying hi? Not saying actually present, but just be around to chat between sessions and at the social events?

Rating 3.00 out of 5

4/7/2008

See this sounds horrible… Sounds like someone’s little speed boat. Silly Screaming Chicken Lovers…

by @ 9:11 pm. Filed under general

Rating 3.00 out of 5

[joeware – never stop exploring… :) is proudly powered by WordPress.]