Solved

I need a way to query DACL of the User Objects in AD

Posted on 2010-09-16
9
946 Views
Last Modified: 2012-05-10
So bascially what I'd like to do is create a query.
That query will look at the DACL of all the user objects in my AD, for a specific account. (MIG)
If the user object does NOT have this specific account in the DACL return the DN/CN etc.

In other words, search AD to make sure that the MIG account is listed in the DACL. It would be better to make sure the MIG account has Full Control too and return user objects that it does not.

Server 2003 Native Domain. No preps above it
We've got Server 2008 R2 servers if PowerShell is needed.
I looked at Quest's software to solve this problem but I can't figure out the command I need to build that will examine the DACL.
0
Comment
Question by:MALCOLMPIRNIEIT
  • 6
  • 2
9 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695525
You can use ADFIND to search for a specific ACL on an object:

For example, this finds all objects that have FULL CONTROL over JSMITH
adfind -default -f samaccountname=jsmith -sc sdfilterns:FC

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695560
To see the entire DACL, remove the trailing :FC

ADFIND: http://joeware.net/freetools/tools/adfind/index.htm
adfind -default -f samaccountname=jsmith -sc sdfilterns

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695655
DSACLS example:

It will list permissions on an object.  I don't know of a way off-hand to query a specific permission.
DSACLS "CN=Joe Smith,OU=Finance,DC=domain,DC=com"

Open in new window

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:MALCOLMPIRNIEIT
ID: 33696821
Good examples tmassa99, but that's not what I'm looking for.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 33697208
It's not possible to query a DACL directly because it's not a format that you can do that.  It has to be decoded.  I've modified a script I found on the Internet that will export the users with full control over every user object in AD.  I've looked at a few objects and only the users with full control are listed.

Found Script here...made modifications to use ntSecurityDescriptor

Good luck.
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

sXLS = "c:\access-rights-export.xlsx"   'excel file must be created before script is ran

 Set objRootDSE = GetObject("LDAP://rootDSE")
 strDNSDomain = objRootDSE.Get("defaultNamingContext")

 'Set the ADO connection query strings
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
 objCommand.Properties("Page Size") = 1000
 objCommand.Properties("Timeout") = 30
 objCommand.Properties("Cache Results") = False
 
objCommand.CommandText = _
    "SELECT * FROM 'LDAP://dc=domain,dc=com' WHERE objectCategory='user'"  
Set objRecordSet = objCommand.Execute

 Set objExcel = CreateObject("Excel.Application")
    objExcel.Application.DisplayAlerts = False
    objExcel.Visible = True

     'Set objWorkbook = objExcel.Workbooks.Open(sXLS)
        objExcel.Workbooks.Add

        objExcel.Cells(1,1).Value = "Logon Name"
        objExcel.Cells(1,2).Value = "Display Name"
        objExcel.Cells(1,3).Value = "Email Address"
        objExcel.Cells(1,4).Value = "Full Control"

          xRow = 1
          yColumn = 1

       Do Until yColumn = 5
               objExcel.Cells(xRow,yColumn).Font.Bold = True
            objExcel.Cells(xRow,yColumn).Font.Size = 11
            objExcel.Cells(xRow,yColumn).Interior.ColorIndex = 11
            objExcel.Cells(xRow,yColumn).Interior.Pattern = 1
            objExcel.Cells(xRow,yColumn).Font.ColorIndex = 2
            objExcel.Cells(xRow,yColumn).Borders.LineStyle = 1
            objExcel.Cells(xRow,yColumn).WrapText = True
    yColumn = yColumn + 1
          Loop

    x = 2
    y = 1

     If NOT objRecordSet.eof Then
        objRecordSet.MoveFirst
          While Not objRecordset.EOF
            Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
            y1 = y
                      objExcel.Cells(x,y1).Value = objUser.sAMAccountName
                      y1 = y1 + 1
                      objExcel.Cells(x,y1).Value = objUser.displayName
                y1 = y1 + 1
                      objExcel.Cells(x,y1).Value = objUser.mail
                y1 = y1 + 1
                    Set oSecurityDescriptor = objuser.Get("nTSecurityDescriptor")
                    Set dacl = oSecurityDescriptor.DiscretionaryAcl
                    Set ace = CreateObject("AccessControlEntry")
                      For Each ace In dacl
                        mystring = ace.Trustee
                        If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
                            x = x + 1
                          End If
                        End If
                      Next
                      x = x + 1 'go to the next Row
              objRecordSet.MoveNext
          Wend
     End If

 objExcel.Columns("A:D").Select
 objExcel.Selection.HorizontalAlignment = 3     'center all data
 objExcel.Selection.Borders.LineStyle = 1     'apply borders
 objExcel.Columns("A:AH").EntireColumn.AutoFit  'autofit all columns

 'objExcel.Quit

 set objExcel = Nothing
 Set objUser = Nothing

msgbox "Done!"
WScript.Quit

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33697212
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33697427
Hi, to add to tmassa's code the ability to check a specific user, under this line:
                        mystring = ace.Trustee
You can add a check against that trustee name:
                        If UCase(mystring) = "YOURDOMAIN\MIG" Then

Regards,

Rob.
0
 

Author Comment

by:MALCOLMPIRNIEIT
ID: 33726367
When running tmassa's code I'm getting an error on line 73 char 25 expected statement. Debugging, but I can't see why the End If is causing that.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 34011857
That looks to be an extra END IF statement on line 72.  You can try commenting out that line.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question