Solved

I need a way to query DACL of the User Objects in AD

Posted on 2010-09-16
9
956 Views
Last Modified: 2012-05-10
So bascially what I'd like to do is create a query.
That query will look at the DACL of all the user objects in my AD, for a specific account. (MIG)
If the user object does NOT have this specific account in the DACL return the DN/CN etc.

In other words, search AD to make sure that the MIG account is listed in the DACL. It would be better to make sure the MIG account has Full Control too and return user objects that it does not.

Server 2003 Native Domain. No preps above it
We've got Server 2008 R2 servers if PowerShell is needed.
I looked at Quest's software to solve this problem but I can't figure out the command I need to build that will examine the DACL.
0
Comment
Question by:MALCOLMPIRNIEIT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
9 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695525
You can use ADFIND to search for a specific ACL on an object:

For example, this finds all objects that have FULL CONTROL over JSMITH
adfind -default -f samaccountname=jsmith -sc sdfilterns:FC

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695560
To see the entire DACL, remove the trailing :FC

ADFIND: http://joeware.net/freetools/tools/adfind/index.htm
adfind -default -f samaccountname=jsmith -sc sdfilterns

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33695655
DSACLS example:

It will list permissions on an object.  I don't know of a way off-hand to query a specific permission.
DSACLS "CN=Joe Smith,OU=Finance,DC=domain,DC=com"

Open in new window

0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 

Author Comment

by:MALCOLMPIRNIEIT
ID: 33696821
Good examples tmassa99, but that's not what I'm looking for.
0
 
LVL 17

Accepted Solution

by:
Tony Massa earned 500 total points
ID: 33697208
It's not possible to query a DACL directly because it's not a format that you can do that.  It has to be decoded.  I've modified a script I found on the Internet that will export the users with full control over every user object in AD.  I've looked at a few objects and only the users with full control are listed.

Found Script here...made modifications to use ntSecurityDescriptor

Good luck.
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

sXLS = "c:\access-rights-export.xlsx"   'excel file must be created before script is ran

 Set objRootDSE = GetObject("LDAP://rootDSE")
 strDNSDomain = objRootDSE.Get("defaultNamingContext")

 'Set the ADO connection query strings
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
 objCommand.Properties("Page Size") = 1000
 objCommand.Properties("Timeout") = 30
 objCommand.Properties("Cache Results") = False
 
objCommand.CommandText = _
    "SELECT * FROM 'LDAP://dc=domain,dc=com' WHERE objectCategory='user'"  
Set objRecordSet = objCommand.Execute

 Set objExcel = CreateObject("Excel.Application")
    objExcel.Application.DisplayAlerts = False
    objExcel.Visible = True

     'Set objWorkbook = objExcel.Workbooks.Open(sXLS)
        objExcel.Workbooks.Add

        objExcel.Cells(1,1).Value = "Logon Name"
        objExcel.Cells(1,2).Value = "Display Name"
        objExcel.Cells(1,3).Value = "Email Address"
        objExcel.Cells(1,4).Value = "Full Control"

          xRow = 1
          yColumn = 1

       Do Until yColumn = 5
               objExcel.Cells(xRow,yColumn).Font.Bold = True
            objExcel.Cells(xRow,yColumn).Font.Size = 11
            objExcel.Cells(xRow,yColumn).Interior.ColorIndex = 11
            objExcel.Cells(xRow,yColumn).Interior.Pattern = 1
            objExcel.Cells(xRow,yColumn).Font.ColorIndex = 2
            objExcel.Cells(xRow,yColumn).Borders.LineStyle = 1
            objExcel.Cells(xRow,yColumn).WrapText = True
    yColumn = yColumn + 1
          Loop

    x = 2
    y = 1

     If NOT objRecordSet.eof Then
        objRecordSet.MoveFirst
          While Not objRecordset.EOF
            Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
            y1 = y
                      objExcel.Cells(x,y1).Value = objUser.sAMAccountName
                      y1 = y1 + 1
                      objExcel.Cells(x,y1).Value = objUser.displayName
                y1 = y1 + 1
                      objExcel.Cells(x,y1).Value = objUser.mail
                y1 = y1 + 1
                    Set oSecurityDescriptor = objuser.Get("nTSecurityDescriptor")
                    Set dacl = oSecurityDescriptor.DiscretionaryAcl
                    Set ace = CreateObject("AccessControlEntry")
                      For Each ace In dacl
                        mystring = ace.Trustee
                        If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
                            x = x + 1
                          End If
                        End If
                      Next
                      x = x + 1 'go to the next Row
              objRecordSet.MoveNext
          Wend
     End If

 objExcel.Columns("A:D").Select
 objExcel.Selection.HorizontalAlignment = 3     'center all data
 objExcel.Selection.Borders.LineStyle = 1     'apply borders
 objExcel.Columns("A:AH").EntireColumn.AutoFit  'autofit all columns

 'objExcel.Quit

 set objExcel = Nothing
 Set objUser = Nothing

msgbox "Done!"
WScript.Quit

Open in new window

0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 33697212
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 33697427
Hi, to add to tmassa's code the ability to check a specific user, under this line:
                        mystring = ace.Trustee
You can add a check against that trustee name:
                        If UCase(mystring) = "YOURDOMAIN\MIG" Then

Regards,

Rob.
0
 

Author Comment

by:MALCOLMPIRNIEIT
ID: 33726367
When running tmassa's code I'm getting an error on line 73 char 25 expected statement. Debugging, but I can't see why the End If is causing that.
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 34011857
That looks to be an extra END IF statement on line 72.  You can try commenting out that line.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With User Account Control (UAC) enabled in Windows 7, one needs to open an elevated Command Prompt in order to run scripts under administrative privileges. Although the elevated Command Prompt accomplishes the task, the question How to run as script…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question