Solved

I need a way to query DACL of the User Objects in AD

Posted on 2010-09-16
9
937 Views
Last Modified: 2012-05-10
So bascially what I'd like to do is create a query.
That query will look at the DACL of all the user objects in my AD, for a specific account. (MIG)
If the user object does NOT have this specific account in the DACL return the DN/CN etc.

In other words, search AD to make sure that the MIG account is listed in the DACL. It would be better to make sure the MIG account has Full Control too and return user objects that it does not.

Server 2003 Native Domain. No preps above it
We've got Server 2008 R2 servers if PowerShell is needed.
I looked at Quest's software to solve this problem but I can't figure out the command I need to build that will examine the DACL.
0
Comment
Question by:MALCOLMPIRNIEIT
  • 6
  • 2
9 Comments
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
You can use ADFIND to search for a specific ACL on an object:

For example, this finds all objects that have FULL CONTROL over JSMITH
adfind -default -f samaccountname=jsmith -sc sdfilterns:FC

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
To see the entire DACL, remove the trailing :FC

ADFIND: http://joeware.net/freetools/tools/adfind/index.htm
adfind -default -f samaccountname=jsmith -sc sdfilterns

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
DSACLS example:

It will list permissions on an object.  I don't know of a way off-hand to query a specific permission.
DSACLS "CN=Joe Smith,OU=Finance,DC=domain,DC=com"

Open in new window

0
 

Author Comment

by:MALCOLMPIRNIEIT
Comment Utility
Good examples tmassa99, but that's not what I'm looking for.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
Comment Utility
It's not possible to query a DACL directly because it's not a format that you can do that.  It has to be decoded.  I've modified a script I found on the Internet that will export the users with full control over every user object in AD.  I've looked at a few objects and only the users with full control are listed.

Found Script here...made modifications to use ntSecurityDescriptor

Good luck.
Const ADS_SCOPE_SUBTREE = 2



Set objConnection = CreateObject("ADODB.Connection")

Set objCommand =   CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"

objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection



sXLS = "c:\access-rights-export.xlsx"   'excel file must be created before script is ran



 Set objRootDSE = GetObject("LDAP://rootDSE")

 strDNSDomain = objRootDSE.Get("defaultNamingContext")



 'Set the ADO connection query strings

objCommand.Properties("Page Size") = 1000

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

 objCommand.Properties("Page Size") = 1000

 objCommand.Properties("Timeout") = 30

 objCommand.Properties("Cache Results") = False

 

objCommand.CommandText = _

    "SELECT * FROM 'LDAP://dc=domain,dc=com' WHERE objectCategory='user'"  

Set objRecordSet = objCommand.Execute



 Set objExcel = CreateObject("Excel.Application")

    objExcel.Application.DisplayAlerts = False

    objExcel.Visible = True



     'Set objWorkbook = objExcel.Workbooks.Open(sXLS)

        objExcel.Workbooks.Add



        objExcel.Cells(1,1).Value = "Logon Name"

        objExcel.Cells(1,2).Value = "Display Name"

        objExcel.Cells(1,3).Value = "Email Address"

        objExcel.Cells(1,4).Value = "Full Control"



          xRow = 1

          yColumn = 1



       Do Until yColumn = 5

               objExcel.Cells(xRow,yColumn).Font.Bold = True

            objExcel.Cells(xRow,yColumn).Font.Size = 11

            objExcel.Cells(xRow,yColumn).Interior.ColorIndex = 11

            objExcel.Cells(xRow,yColumn).Interior.Pattern = 1

            objExcel.Cells(xRow,yColumn).Font.ColorIndex = 2

            objExcel.Cells(xRow,yColumn).Borders.LineStyle = 1

            objExcel.Cells(xRow,yColumn).WrapText = True

    yColumn = yColumn + 1

          Loop



    x = 2

    y = 1



     If NOT objRecordSet.eof Then

        objRecordSet.MoveFirst

          While Not objRecordset.EOF

            Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)

            y1 = y

                      objExcel.Cells(x,y1).Value = objUser.sAMAccountName

                      y1 = y1 + 1

                      objExcel.Cells(x,y1).Value = objUser.displayName

                y1 = y1 + 1

                      objExcel.Cells(x,y1).Value = objUser.mail

                y1 = y1 + 1

                    Set oSecurityDescriptor = objuser.Get("nTSecurityDescriptor")

                    Set dacl = oSecurityDescriptor.DiscretionaryAcl

                    Set ace = CreateObject("AccessControlEntry")

                      For Each ace In dacl

                        mystring = ace.Trustee

                        If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then

                            x = x + 1

                          End If

                        End If

                      Next

                      x = x + 1 'go to the next Row

              objRecordSet.MoveNext

          Wend

     End If



 objExcel.Columns("A:D").Select

 objExcel.Selection.HorizontalAlignment = 3     'center all data

 objExcel.Selection.Borders.LineStyle = 1     'apply borders

 objExcel.Columns("A:AH").EntireColumn.AutoFit  'autofit all columns



 'objExcel.Quit



 set objExcel = Nothing

 Set objUser = Nothing



msgbox "Done!"

WScript.Quit

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
0
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
Hi, to add to tmassa's code the ability to check a specific user, under this line:
                        mystring = ace.Trustee
You can add a check against that trustee name:
                        If UCase(mystring) = "YOURDOMAIN\MIG" Then

Regards,

Rob.
0
 

Author Comment

by:MALCOLMPIRNIEIT
Comment Utility
When running tmassa's code I'm getting an error on line 73 char 25 expected statement. Debugging, but I can't see why the End If is causing that.
0
 
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
That looks to be an extra END IF statement on line 72.  You can try commenting out that line.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now