I need a way to query DACL of the User Objects in AD

Posted on 2010-09-16
Last Modified: 2012-05-10
So bascially what I'd like to do is create a query.
That query will look at the DACL of all the user objects in my AD, for a specific account. (MIG)
If the user object does NOT have this specific account in the DACL return the DN/CN etc.

In other words, search AD to make sure that the MIG account is listed in the DACL. It would be better to make sure the MIG account has Full Control too and return user objects that it does not.

Server 2003 Native Domain. No preps above it
We've got Server 2008 R2 servers if PowerShell is needed.
I looked at Quest's software to solve this problem but I can't figure out the command I need to build that will examine the DACL.
  • 6
  • 2
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
You can use ADFIND to search for a specific ACL on an object:

For example, this finds all objects that have FULL CONTROL over JSMITH
adfind -default -f samaccountname=jsmith -sc sdfilterns:FC

Open in new window

LVL 17

Expert Comment

by:Tony Massa
Comment Utility
To see the entire DACL, remove the trailing :FC

adfind -default -f samaccountname=jsmith -sc sdfilterns

Open in new window

LVL 17

Expert Comment

by:Tony Massa
Comment Utility
DSACLS example:

It will list permissions on an object.  I don't know of a way off-hand to query a specific permission.
DSACLS "CN=Joe Smith,OU=Finance,DC=domain,DC=com"

Open in new window


Author Comment

Comment Utility
Good examples tmassa99, but that's not what I'm looking for.
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

LVL 17

Accepted Solution

Tony Massa earned 500 total points
Comment Utility
It's not possible to query a DACL directly because it's not a format that you can do that.  It has to be decoded.  I've modified a script I found on the Internet that will export the users with full control over every user object in AD.  I've looked at a few objects and only the users with full control are listed.

Found Script here...made modifications to use ntSecurityDescriptor

Good luck.

Set objConnection = CreateObject("ADODB.Connection")

Set objCommand =   CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"

objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection

sXLS = "c:\access-rights-export.xlsx"   'excel file must be created before script is ran

 Set objRootDSE = GetObject("LDAP://rootDSE")

 strDNSDomain = objRootDSE.Get("defaultNamingContext")

 'Set the ADO connection query strings

objCommand.Properties("Page Size") = 1000

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

 objCommand.Properties("Page Size") = 1000

 objCommand.Properties("Timeout") = 30

 objCommand.Properties("Cache Results") = False


objCommand.CommandText = _

    "SELECT * FROM 'LDAP://dc=domain,dc=com' WHERE objectCategory='user'"  

Set objRecordSet = objCommand.Execute

 Set objExcel = CreateObject("Excel.Application")

    objExcel.Application.DisplayAlerts = False

    objExcel.Visible = True

     'Set objWorkbook = objExcel.Workbooks.Open(sXLS)


        objExcel.Cells(1,1).Value = "Logon Name"

        objExcel.Cells(1,2).Value = "Display Name"

        objExcel.Cells(1,3).Value = "Email Address"

        objExcel.Cells(1,4).Value = "Full Control"

          xRow = 1

          yColumn = 1

       Do Until yColumn = 5

               objExcel.Cells(xRow,yColumn).Font.Bold = True

            objExcel.Cells(xRow,yColumn).Font.Size = 11

            objExcel.Cells(xRow,yColumn).Interior.ColorIndex = 11

            objExcel.Cells(xRow,yColumn).Interior.Pattern = 1

            objExcel.Cells(xRow,yColumn).Font.ColorIndex = 2

            objExcel.Cells(xRow,yColumn).Borders.LineStyle = 1

            objExcel.Cells(xRow,yColumn).WrapText = True

    yColumn = yColumn + 1


    x = 2

    y = 1

     If NOT objRecordSet.eof Then


          While Not objRecordset.EOF

            Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)

            y1 = y

                      objExcel.Cells(x,y1).Value = objUser.sAMAccountName

                      y1 = y1 + 1

                      objExcel.Cells(x,y1).Value = objUser.displayName

                y1 = y1 + 1

                      objExcel.Cells(x,y1).Value = objUser.mail

                y1 = y1 + 1

                    Set oSecurityDescriptor = objuser.Get("nTSecurityDescriptor")

                    Set dacl = oSecurityDescriptor.DiscretionaryAcl

                    Set ace = CreateObject("AccessControlEntry")

                      For Each ace In dacl

                        mystring = ace.Trustee

                        If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then

                            x = x + 1

                          End If

                        End If


                      x = x + 1 'go to the next Row



     End If


 objExcel.Selection.HorizontalAlignment = 3     'center all data

 objExcel.Selection.Borders.LineStyle = 1     'apply borders

 objExcel.Columns("A:AH").EntireColumn.AutoFit  'autofit all columns


 set objExcel = Nothing

 Set objUser = Nothing

msgbox "Done!"


Open in new window

LVL 17

Expert Comment

by:Tony Massa
Comment Utility
LVL 65

Expert Comment

Comment Utility
Hi, to add to tmassa's code the ability to check a specific user, under this line:
                        mystring = ace.Trustee
You can add a check against that trustee name:
                        If UCase(mystring) = "YOURDOMAIN\MIG" Then



Author Comment

Comment Utility
When running tmassa's code I'm getting an error on line 73 char 25 expected statement. Debugging, but I can't see why the End If is causing that.
LVL 17

Expert Comment

by:Tony Massa
Comment Utility
That looks to be an extra END IF statement on line 72.  You can try commenting out that line.

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now