You probably also want to specify the attribute ntsecuritydescriptor so you don't have to see the other attributes, but maybe you do want to see them, obviously each person will be different. You can also have that put into CSV format if wanted so it could be imported into Excel or Access or something. ACLs can be fun to figure out how to best display or work with. Something else that can be done here you can tell adfind to only output the explicit ACEs which can clean up the output considerably. If you don't do much or any blocking then you can still get a great idea of what is going on but have to look at less actual data. You can filter out the inherited ACEs with -sddlnotfilter ;inherited So say you just wanted the ACLs for the one level scope from the root of a domain just displaying the security descriptor and the explicitely set ACEs... It would look something like G:\Temp>adfind -default -f * -s one ntsecuritydescriptor -sddl++ -resolvesids -sddlnotfilter ;inherited AdFind V01.35.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) January 2007 Using server: r2dc2.test.loc:389 Directory: Windows Server 2003 Base DN: DC=test,DC=loc dn:CN=Builtin,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP];;;Everyone >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes;;BUILTIN\Administrators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replication Synchronization;;BUILTIN\Administrators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Manage Replication Topology;;BUILTIN\Administrators >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][DEL][READ][WRT PERMS][WRT OWNER];;;BUILTIN\Administrators >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM >nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[FC];;;TEST\Enterprise Admins >nTSecurityDescriptor: [DACL] ALLOW;[CONT INHERIT];[LIST CHILDREN];;;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;user;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;user;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;user;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;user;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;user;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Domain Password & Lockout Policies;;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;group;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] ALLOW;;[READ PROP][READ];;;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;user;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Remote Access Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];General Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Group Membership;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Account Restrictions;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];Logon Information;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[LIST CHILDREN][READ PROP][LIST OBJ][READ];;inetOrgPerson;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;BUILTIN\Pre-Windows 2000 Compatible Access >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[READ PROP];Other Domain Parameters (for use by SAM);;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;user;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;group;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] OBJ ALLOW;[CONT INHERIT][INHERIT ONLY];[READ PROP];tokenGroups;computer;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;TEST\Domain Controllers >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Replicating Directory Changes All;;BUILTIN\Administrators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Create Inbound Forest Trust;;BUILTIN\Incoming Forest Trust Builders >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Update Password Not Required Bit;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Unexpire Password;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Enable Per User Reversibly Encrypted Password;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[WRT PROP][WRT PERMS][WRT OWNER];;;Everyone >nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;BUILTIN\Administrators >nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CTL];;;TEST\Domain Users >nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPLink;organizationalUnit;Everyone >nTSecurityDescriptor: [SACL] OBJ AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];gPOptions;organizationalUnit;Everyone dn:CN=Computers,DC=test,DC=loc >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Print Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM dn:OU=Domain Controllers,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[CR CHILD][DEL CHILD][DEL TREE][DEL][WRT PERMS][WRT OWNER];;;Everyone >nTSecurityDescriptor: [SACL] AUDIT;[CONT INHERIT][SUCCESS];[WRT PROP];;;Everyone dn:CN=ForeignSecurityPrincipals,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users dn:CN=Infrastructure,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM >nTSecurityDescriptor: [SACL] AUDIT;[SUCCESS];[WRT PROP][CTL];;;Everyone dn:CN=LostAndFound,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM dn:OU=My,DC=test,DC=loc >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Print Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM dn:CN=NTDS Quotas,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;BUILTIN\Administrators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Query Self Quota;;Everyone >nTSecurityDescriptor: [SACL] AUDIT;[CONT INHERIT][SUCCESS];[CR CHILD][DEL CHILD][SELF WRT][WRT PROP][DEL TREE][CTL][DEL][WRT PERMS][WRT OWNER];;;Everyone dn:CN=Program Data,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users dn:CN=System,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM dn:OU=TestOU,DC=test,DC=loc >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];computer;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Print Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM dn:CN=Users,DC=test,DC=loc >nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM >nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD][LIST CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT OWNER];;;TEST\Domain Admins >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];user;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];group;;BUILTIN\Account Operators >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];printQueue;;BUILTIN\Print Operators >nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST OBJ][READ];;;NT AUTHORITY\Authenticated Users >nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL CHILD];inetOrgPerson;;BUILTIN\Account Operators
12 Objects returned And of course again that could be output into CSV for further script processing or excel/access use. The next thing that I would generally do with this would be to put it through a script that will validate the explicite ACEs against the default SD for the object type and alert you to delta's there. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, January 25, 2007 5:21 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Security Auditing AdFind.exe -sddc++ -b DC=example,DC=com -resolvesids -f "|(objectcategory=container)(objectcategory=organizationalUnit)" >OU_ACL.txt Thanks, Andrew Fidel "Casey Robertson" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/23/2007 05:41 PM Please respond to ActiveDir@mail.activedir.org To <ActiveDir@mail.activedir.org> cc Subject [ActiveDir] AD Security Auditing We are embarking on a project to clean up our OUs structure and reassign permissions that have grown unmanageable over time. To accomplish this it would be nice to be able to dump permissions on all OU objects and individual object types (users, computers, etc) so that we can determine who has rights to what. The prospect of doing this manually is daunting at best and for the most part I have only seen 3rd party tools (read: expensive) that do this in an easy to use fashion. Any suggestions for tools, scripts etc would be appreciated. Either that or we can rebuild our OU structure :-) Casey Robertson
