I haven't used the switches yet, but looks like this is the RAW option for
reading and settings ACLs in AD: SDDL stands for "Security Descriptor
Definition Language" and is the way the ACLs are stored in AD. You'll have
to be rather careful changing the SDDL manually (i.e. not setting the ACLs
via a GUI or API) as you'll be able to store them in a non-canonical order
(wrong allow/deny order for the processing of the ACLs). If you do so, AD
will still work fine, but you won't be able to change the ACLs via the GUI
without resetting them. You can view the SDDL version of ACLs of any object
via LDP (right click - Advanced - Security Descripor).
An example of SDDL is the following (default security descriptor of a user
object):
D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A
;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1e2f-11
d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS)(O
A;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A-11d1-
AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS)(OA
;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-11d2-b
422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS)(OA;;R
P;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42-79a2
-11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU
)(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8-11d1
-8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;
;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11d0-a2
85-00aa003049e2;;CA)
This translates to:
SDDL Format
Readable GUI Format
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA) Allow Domain
Admins Full Control
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY) Allow System Full
Control
(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO) Allow Account
Operators Full Control
(A;;RPLCLORC;;;PS) Allow SELF
Read
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) Allow SELF
Change Password
(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;PS) Allow SELF Send
As
(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS) Allow SELF
Receive As
(OA;;RPWP;77B5B886-944A-11d1-AEBD-0000F80367C1;;PS) Allow SELF
Read/Write Personal Information
(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;PS) Allow SELF
Read/Write Phone and Mail Options
(OA;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS) Allow SELF
Read/Write Web Information
(OA;;RP;037088f8-0ae1-11d2-b422-00a0c968f939;;RS) Allow RAS and IAS
Servers Read Remote Access Information
(OA;;RP;4c164200-20c0-11d0-a768-00aa006e0529;;RS) Allow RAS and IAS
Servers Read Account Restrictions
(OA;;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS) Allow RAS and IAS
Servers Read Group Membership
(A;;RC;;;AU) Allow
Authenticated Users Read Permissions
(OA;;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;AU) Allow
Authenticated Users General Information
(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C1;;AU) Allow
Authenticated Users Read Personal Information
(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU) Allow
Authenticated Users Read Web Information
(OA;;RP;e48d0154-bcf8-11d1-8702-00c04fb96050;;AU) Allow
Authenticated Users Read Public Information
(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) Allow Everyone
Change Password
(OA;;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS) Allow RAS and IAS
Servers Read Logon Information
(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA) Allow Cert
Publishers Read/Write Property (userCertificate)
/Guido
-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]]
Sent: Samstag, 8. Februar 2003 01:13
To: [EMAIL PROTECTED]
Subject: [ActiveDir] DSAcls /getsddl /setsddl
If anyone has noticed, there are two opions on DSACLS - one /getsddl and the
other /setsddl.
1. Has anyone used these?
2. What do they do?
I have ahigh suspicion, but I've run out of time on using it for the curren
project. But, if they do what I think, I'd like to use them on the next
project.
Can anyone get them to work, as I can find no documentation on these
switches at all.
Thanks in advance! (If I don't get an answer over the next two days, I'll
ask the folks in Redmond personally next week while I'm there. One
way or the other - I'm getting an answer! ;o) )
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
