Operators
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
dn:CN=NTDS Quotas,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;BUILTIN\Administrators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Query Self Quota;;Everyone
nTSecurityDescriptor: [SACL] AUDIT;[CONT INHERIT][SUCCESS];[CR CHILD][DEL
CHILD][SELF WRT][WRT PROP][DEL TREE][CTL][DEL][WRT PERMS][WRT
OWNER];;;Everyone
dn:CN=Program Data,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
dn:CN=System,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF
WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT
OWNER];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
dn:OU=TestOU,DC=test,DC=loc
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];inetOrgPerson;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];computer;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];group;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];printQueue;;BUILTIN\Print Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];user;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
dn:CN=Users,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD][LIST
CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT
OWNER];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];user;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];group;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];printQueue;;BUILTIN\Print Operators
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];inetOrgPerson;;BUILTIN\Account Operators
12 Objects returned
And of course again that could be output into CSV for further script
processing or excel/access use. The next thing that I would generally do
with this would be to put it through a script that will validate the
explicite ACEs against the default SD for the object type and alert you to
delta's there.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, January 25, 2007 5:21 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] AD Security Auditing
AdFind.exe -sddc++ -b DC=example,DC=com -resolvesids -f
|(objectcategory=container)(objectcategory=organizationalUnit) OU_ACL.txt
Thanks,
Andrew Fidel
Casey Robertson [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
01/23/2007 05:41 PM
Please respond to
ActiveDir@mail.activedir.org
To
ActiveDir@mail.activedir.org
cc
Subject
[ActiveDir] AD Security Auditing
We are embarking on a project to clean up our OUs structure and reassign
permissions that have grown unmanageable over time. To accomplish this it
would be nice to be able to dump permissions on all OU objects and
individual object types (users, computers, etc) so that we can determine who
has rights to what. The prospect of doing this manually is daunting at best
and for the most part I have only seen 3rd party tools (read: expensive)
that do this in an easy to use fashion.
Any suggestions for tools, scripts etc would be appreciated. Either that or
we can rebuild our OU structure :-)
Casey Robertson