Solved

large security descriptors on objects

Posted on 2016-10-18
4
15 Views
Last Modified: 2016-11-13
hi all. my question is general and comes in 2 parts. Anyone know how to view the size of AD large security descriptor objects. and I can't seem to find any decent guides on trouble shooting objects whose security descriptors are getting too large. many thanks.
0
Comment
Question by:Jason Thomas
  • 2
  • 2
4 Comments
 
LVL 5

Expert Comment

by:sAMAccountName
ID: 41850340
Can you define "large"?  I mean are you looking for "extensive/many rules in the ACL" or are you looking for "takes up a ton of memory/bloats the token"?

What kind of objects?  Users/Groups/Computers?
0
 
LVL 5

Accepted Solution

by:
sAMAccountName earned 500 total points
ID: 41850434
Just messing around with this, I was able to get some info you might find useful:

# Create a reference to the object you want to view
$MyThing = Get-ADUser johndow

# Set your location to AD so you can work with the ACL
set-location AD:

# Get the ACL for your thing and make a reference to it
$MyThingsAcl = Get-ACL -Path $MyThing

# View the SDDL
($MyThingsAcl).Sddl

# Get a count of how many characters are in the ACL
(($MyThingsAcl).Sddl).Length

# Get a count of how many ACE rules you have in the ACL
((($MyThingsAcl).Sddl).Split("`)")).Count

# Get a list of all the unique rules in the ACL
((($MyThingsAcl).Sddl).Split("`(")).Trim(")")

Open in new window


This might be a start to help you get to something more meaningful

If you pipe it through Get-Member, you can see all the methods and properties available to work with.

# Edit:  I updated the code sample with some comments and cleaned it up a bit
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 41860704
Hi @Sam. firstly sorry not not getting to you sooner I have been away. in response to your first question the answer is 'with regard to token bloat and poor performance. I am see conflicting views where by some say 1800 entries on an object and other say 300 can cause issue. And second response - looks exciting, I'm going to tey tbose one liners tomorrow morning and report back to you.
Thank you thus far.
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 41885276
incredibly thorough low level description once again justifying the cost of the yearly subscription. Thank you.
1

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now