Solved

large security descriptors on objects

Posted on 2016-10-18
4
29 Views
Last Modified: 2016-11-13
hi all. my question is general and comes in 2 parts. Anyone know how to view the size of AD large security descriptor objects. and I can't seem to find any decent guides on trouble shooting objects whose security descriptors are getting too large. many thanks.
0
Comment
Question by:Jason Thomas
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41850340
Can you define "large"?  I mean are you looking for "extensive/many rules in the ACL" or are you looking for "takes up a ton of memory/bloats the token"?

What kind of objects?  Users/Groups/Computers?
0
 
LVL 6

Accepted Solution

by:
sAMAccountName earned 500 total points
ID: 41850434
Just messing around with this, I was able to get some info you might find useful:

# Create a reference to the object you want to view
$MyThing = Get-ADUser johndow

# Set your location to AD so you can work with the ACL
set-location AD:

# Get the ACL for your thing and make a reference to it
$MyThingsAcl = Get-ACL -Path $MyThing

# View the SDDL
($MyThingsAcl).Sddl

# Get a count of how many characters are in the ACL
(($MyThingsAcl).Sddl).Length

# Get a count of how many ACE rules you have in the ACL
((($MyThingsAcl).Sddl).Split("`)")).Count

# Get a list of all the unique rules in the ACL
((($MyThingsAcl).Sddl).Split("`(")).Trim(")")

Open in new window


This might be a start to help you get to something more meaningful

If you pipe it through Get-Member, you can see all the methods and properties available to work with.

# Edit:  I updated the code sample with some comments and cleaned it up a bit
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 41860704
Hi @Sam. firstly sorry not not getting to you sooner I have been away. in response to your first question the answer is 'with regard to token bloat and poor performance. I am see conflicting views where by some say 1800 entries on an object and other say 300 can cause issue. And second response - looks exciting, I'm going to tey tbose one liners tomorrow morning and report back to you.
Thank you thus far.
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 41885276
incredibly thorough low level description once again justifying the cost of the yearly subscription. Thank you.
1

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question