Improve company productivity with a Business Account.Sign Up

x
?
Solved

I need a way to query DACL of the User Objects in AD

Posted on 2010-09-16
9
Medium Priority
?
998 Views
Last Modified: 2012-05-10
So bascially what I'd like to do is create a query.
That query will look at the DACL of all the user objects in my AD, for a specific account. (MIG)
If the user object does NOT have this specific account in the DACL return the DN/CN etc.

In other words, search AD to make sure that the MIG account is listed in the DACL. It would be better to make sure the MIG account has Full Control too and return user objects that it does not.

Server 2003 Native Domain. No preps above it
We've got Server 2008 R2 servers if PowerShell is needed.
I looked at Quest's software to solve this problem but I can't figure out the command I need to build that will examine the DACL.
0
Comment
Question by:MALCOLMPIRNIEIT
  • 6
  • 2
9 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695525
You can use ADFIND to search for a specific ACL on an object:

For example, this finds all objects that have FULL CONTROL over JSMITH
adfind -default -f samaccountname=jsmith -sc sdfilterns:FC

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695560
To see the entire DACL, remove the trailing :FC

ADFIND: http://joeware.net/freetools/tools/adfind/index.htm
adfind -default -f samaccountname=jsmith -sc sdfilterns

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695655
DSACLS example:

It will list permissions on an object.  I don't know of a way off-hand to query a specific permission.
DSACLS "CN=Joe Smith,OU=Finance,DC=domain,DC=com"

Open in new window

0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 

Author Comment

by:MALCOLMPIRNIEIT
ID: 33696821
Good examples tmassa99, but that's not what I'm looking for.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 2000 total points
ID: 33697208
It's not possible to query a DACL directly because it's not a format that you can do that.  It has to be decoded.  I've modified a script I found on the Internet that will export the users with full control over every user object in AD.  I've looked at a few objects and only the users with full control are listed.

Found Script here...made modifications to use ntSecurityDescriptor

Good luck.
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

sXLS = "c:\access-rights-export.xlsx"   'excel file must be created before script is ran

 Set objRootDSE = GetObject("LDAP://rootDSE")
 strDNSDomain = objRootDSE.Get("defaultNamingContext")

 'Set the ADO connection query strings
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
 objCommand.Properties("Page Size") = 1000
 objCommand.Properties("Timeout") = 30
 objCommand.Properties("Cache Results") = False
 
objCommand.CommandText = _
    "SELECT * FROM 'LDAP://dc=domain,dc=com' WHERE objectCategory='user'"  
Set objRecordSet = objCommand.Execute

 Set objExcel = CreateObject("Excel.Application")
    objExcel.Application.DisplayAlerts = False
    objExcel.Visible = True

     'Set objWorkbook = objExcel.Workbooks.Open(sXLS)
        objExcel.Workbooks.Add

        objExcel.Cells(1,1).Value = "Logon Name"
        objExcel.Cells(1,2).Value = "Display Name"
        objExcel.Cells(1,3).Value = "Email Address"
        objExcel.Cells(1,4).Value = "Full Control"

          xRow = 1
          yColumn = 1

       Do Until yColumn = 5
               objExcel.Cells(xRow,yColumn).Font.Bold = True
            objExcel.Cells(xRow,yColumn).Font.Size = 11
            objExcel.Cells(xRow,yColumn).Interior.ColorIndex = 11
            objExcel.Cells(xRow,yColumn).Interior.Pattern = 1
            objExcel.Cells(xRow,yColumn).Font.ColorIndex = 2
            objExcel.Cells(xRow,yColumn).Borders.LineStyle = 1
            objExcel.Cells(xRow,yColumn).WrapText = True
    yColumn = yColumn + 1
          Loop

    x = 2
    y = 1

     If NOT objRecordSet.eof Then
        objRecordSet.MoveFirst
          While Not objRecordset.EOF
            Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
            y1 = y
                      objExcel.Cells(x,y1).Value = objUser.sAMAccountName
                      y1 = y1 + 1
                      objExcel.Cells(x,y1).Value = objUser.displayName
                y1 = y1 + 1
                      objExcel.Cells(x,y1).Value = objUser.mail
                y1 = y1 + 1
                    Set oSecurityDescriptor = objuser.Get("nTSecurityDescriptor")
                    Set dacl = oSecurityDescriptor.DiscretionaryAcl
                    Set ace = CreateObject("AccessControlEntry")
                      For Each ace In dacl
                        mystring = ace.Trustee
                        If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
                            x = x + 1
                          End If
                        End If
                      Next
                      x = x + 1 'go to the next Row
              objRecordSet.MoveNext
          Wend
     End If

 objExcel.Columns("A:D").Select
 objExcel.Selection.HorizontalAlignment = 3     'center all data
 objExcel.Selection.Borders.LineStyle = 1     'apply borders
 objExcel.Columns("A:AH").EntireColumn.AutoFit  'autofit all columns

 'objExcel.Quit

 set objExcel = Nothing
 Set objUser = Nothing

msgbox "Done!"
WScript.Quit

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33697212
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33697427
Hi, to add to tmassa's code the ability to check a specific user, under this line:
                        mystring = ace.Trustee
You can add a check against that trustee name:
                        If UCase(mystring) = "YOURDOMAIN\MIG" Then

Regards,

Rob.
0
 

Author Comment

by:MALCOLMPIRNIEIT
ID: 33726367
When running tmassa's code I'm getting an error on line 73 char 25 expected statement. Debugging, but I can't see why the End If is causing that.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 34011857
That looks to be an extra END IF statement on line 72.  You can try commenting out that line.
0

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The PowerShell Core 6.0 of .NET release is just the beginning. The upcoming PowerShell Core 6.1 would have artificial intelligence and internet of things capabilities. So many things to look forward to in the upcoming release.
In migration, Powershell can be a very crucial tool to achieve success and finalize projects within deadline or even fix issues. X500 or Legacy Exchange DN Attribute can cause lots of issue during the migration
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question