subject:"Re\: \[ActiveDir\] AD Security Auditing"

RE: [ActiveDir] AD Security Auditing

2007-01-28 Thread joe

 Operators
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
 
dn:CN=NTDS Quotas,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;BUILTIN\Administrators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CTL];Query Self Quota;;Everyone
nTSecurityDescriptor: [SACL] AUDIT;[CONT INHERIT][SUCCESS];[CR CHILD][DEL
CHILD][SELF WRT][WRT PROP][DEL TREE][CTL][DEL][WRT PERMS][WRT
OWNER];;;Everyone
 
dn:CN=Program Data,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
 
dn:CN=System,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][LIST CHILDREN][SELF
WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT
OWNER];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
 
dn:OU=TestOU,DC=test,DC=loc
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];inetOrgPerson;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];computer;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];group;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];printQueue;;BUILTIN\Print Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];user;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
 
dn:CN=Users,DC=test,DC=loc
nTSecurityDescriptor: [DACL] ALLOW;;[FC];;;NT AUTHORITY\SYSTEM
nTSecurityDescriptor: [DACL] ALLOW;;[CR CHILD][DEL CHILD][LIST
CHILDREN][SELF WRT][READ PROP][WRT PROP][LIST OBJ][CTL][READ][WRT PERMS][WRT
OWNER];;;TEST\Domain Admins
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];user;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];group;;BUILTIN\Account Operators
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];printQueue;;BUILTIN\Print Operators
nTSecurityDescriptor: [DACL] ALLOW;;[LIST CHILDREN][READ PROP][LIST
OBJ][READ];;;NT AUTHORITY\Authenticated Users
nTSecurityDescriptor: [DACL] OBJ ALLOW;;[CR CHILD][DEL
CHILD];inetOrgPerson;;BUILTIN\Account Operators
 

12 Objects returned

And of course again that could be output into CSV for further script
processing or excel/access use. The next thing that I would generally do
with this would be to put it through a script that will validate the
explicite ACEs against the default SD for the object type and alert you to
delta's there. 
 
 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, January 25, 2007 5:21 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] AD Security Auditing



AdFind.exe -sddc++  -b DC=example,DC=com -resolvesids -f
|(objectcategory=container)(objectcategory=organizationalUnit) OU_ACL.txt


Thanks, 
Andrew Fidel 




Casey Robertson [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED] 


01/23/2007 05:41 PM 


Please respond to
ActiveDir@mail.activedir.org



To
ActiveDir@mail.activedir.org 

cc

Subject
[ActiveDir] AD Security Auditing






We are embarking on a project to clean up our OUs structure and reassign
permissions that have grown unmanageable over time.  To accomplish this it
would be nice to be able to dump permissions on all OU objects and
individual object types (users, computers, etc) so that we can determine who
has rights to what.  The prospect of doing this manually is daunting at best
and for the most part I have only seen 3rd party tools (read: expensive)
that do this in an easy to use fashion. 
  
Any suggestions for tools, scripts etc would be appreciated.  Either that or
we can rebuild our OU structure :-) 
  
Casey Robertson

Re: [ActiveDir] AD Security Auditing

2007-01-25 Thread AFidel

AdFind.exe -sddc++  -b DC=example,DC=com -resolvesids -f 
|(objectcategory=container)(objectcategory=organizationalUnit) 
OU_ACL.txt

Thanks,
Andrew Fidel




Casey Robertson [EMAIL PROTECTED] 
Sent by: [EMAIL PROTECTED]
01/23/2007 05:41 PM
Please respond to
ActiveDir@mail.activedir.org


To
ActiveDir@mail.activedir.org
cc

Subject
[ActiveDir] AD Security Auditing






We are embarking on a project to clean up our OUs structure and reassign 
permissions that have grown unmanageable over time.  To accomplish this it 
would be nice to be able to dump permissions on all OU objects and 
individual object types (users, computers, etc) so that we can determine 
who has rights to what.  The prospect of doing this manually is daunting 
at best and for the most part I have only seen 3rd party tools (read: 
expensive) that do this in an easy to use fashion.
 
Any suggestions for tools, scripts etc would be appreciated.  Either that 
or we can rebuild our OU structure J
 
Casey Robertson

RE: [ActiveDir] AD Security Auditing

2007-01-23 Thread Akomolafe, Deji

Sometimes, rebuilding OUs is not a Bad Idea :)

Try DSacls or something GUI-sh from Netpro and co.


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon



From: Casey Robertson
Sent: Tue 1/23/2007 2:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security Auditing


We are embarking on a project to clean up our OUs structure and reassign 
permissions that have grown unmanageable over time.  To accomplish this it 
would be nice to be able to dump permissions on all OU objects and individual 
object types (users, computers, etc) so that we can determine who has rights to 
what.  The prospect of doing this manually is daunting at best and for the most 
part I have only seen 3rd party tools (read: expensive) that do this in an easy 
to use fashion.
 
Any suggestions for tools, scripts etc would be appreciated.  Either that or we 
can rebuild our OU structure J
 
Casey Robertson

RE: [ActiveDir] AD Security Auditing

2007-01-23 Thread Almeida Pinto, Jorge de

Hi,
 
Have a look at:
* http://www.kouti.com/adreport/ (not free)
* ACLReport.vbs v1.01 (free - http://www.kouti.com/scripts.htm
 
ACLReport.vbs v1.01
This script creates an HTML file named ACLReport.htm, that contains all the 
ACLs of a given Active Directory tree. By modifying three lines in the 
beginning of the script, you can choose:
- Only OUs or all objects
- Only normal-view objects or also advanced-view objects
- Whether to display all ACEs or only non-inherited
 
Regards
Jorge
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Casey Robertson
Sent: Tue 2007-01-23 23:33
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Security Auditing



We are embarking on a project to clean up our OUs structure and reassign 
permissions that have grown unmanageable over time.  To accomplish this it 
would be nice to be able to dump permissions on all OU objects and individual 
object types (users, computers, etc) so that we can determine who has rights to 
what.  The prospect of doing this manually is daunting at best and for the most 
part I have only seen 3rd party tools (read: expensive) that do this in an easy 
to use fashion.

 

Any suggestions for tools, scripts etc would be appreciated.  Either that or we 
can rebuild our OU structure J

 

Casey Robertson

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
winmail.dat

RE: [ActiveDir] AD Security Auditing

Re: [ActiveDir] AD Security Auditing

RE: [ActiveDir] AD Security Auditing

RE: [ActiveDir] AD Security Auditing

4 matches

Site Navigation

Mail list logo

Footer information