|
Well actually ADFIND can do this. It just may not be as
clean as you may like. It will dump out the SDDL of the mailbox security
descriptor. The SDDL will have either a code for a well known security principal
like DA=Domain Admins and WD=everyone (world). For any non-well knowns it will
have the SID. For instance here is a dump of a user object from my test domain
(note that each attribute - lines started with > would be one line in the
output, you will probably see it wrap...).
[Thu 04/14/2005
19:40:59.62]
F:\DEV\cpp\SecTok>adfind -default -f [EMAIL PROTECTED] -sddl msexchmailboxsecuritydescriptor AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=joe,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com
>msExchMailboxSecurityDescriptor: [SDDL] O:S-1-5-21-1862701446-4008382571-2198042679-1111G:S-1-5-21-1862701446-4008382571-2198042679-1111D:AI(A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA)(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1111)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1111)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA) >msExchMailboxSecurityDescriptor: [OWNER] O:S-1-5-21-1862701446-4008382571-2198042679-1111 >msExchMailboxSecurityDescriptor: [GROUP] G:S-1-5-21-1862701446-4008382571-2198042679-1111 >msExchMailboxSecurityDescriptor: [DACL] D:AI(A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA)(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1111)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1111)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA) >msExchMailboxSecurityDescriptor: [SACL] Not specified in SD or insufficient rights 1 Objects returned
[Thu 04/14/2005 19:41:05.93]
Now it has always been in the reading that I have done
that only explicit ACEs are listed in that attribute, however I am not finding
that to be true now that I can enumerate it directly.
The above cleans up to be
(A;CI;CCDCRC;;;PS)
(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673) (D;CIID;CC;;;DA) (D;CIID;CC;;;EA)
(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1111) (A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672) (A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673) (A;CIID;RC;;;WD) (A;CIID;RC;;;AN) (A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673) (A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1111) (A;CIID;CCSDRCWDWO;;;EA) (A;CIID;CCSDRCWDWO;;;DA) for the DACL (just grab the one line that says
""msExchMailboxSecurityDescriptor: [DACL]).You can clearly see that inherited
ACEs are definitely in the data being returned.
For more info on SDDL see
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Thursday, April 07, 2005 11:45 AM To: [email protected] Subject: RE: [ActiveDir] Export Security & Mailbox Rights members Is there an option for
this in adfind? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Harding,
Devon I have an account that has a few
unknown SID’s under the Security Tab & Mailbox Rights. I can use
psgetsid to get the names of these unknown SIDs, but I want to output these so I
can copy and paste the SIDs. Is there any way to do
this? - |
