Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

large security descriptors on objects

Posted on 2016-10-18
4
Medium Priority
?
41 Views
Last Modified: 2016-11-13
hi all. my question is general and comes in 2 parts. Anyone know how to view the size of AD large security descriptor objects. and I can't seem to find any decent guides on trouble shooting objects whose security descriptors are getting too large. many thanks.
0
Comment
Question by:Jason Thomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41850340
Can you define "large"?  I mean are you looking for "extensive/many rules in the ACL" or are you looking for "takes up a ton of memory/bloats the token"?

What kind of objects?  Users/Groups/Computers?
0
 
LVL 6

Accepted Solution

by:
sAMAccountName earned 2000 total points
ID: 41850434
Just messing around with this, I was able to get some info you might find useful:

# Create a reference to the object you want to view
$MyThing = Get-ADUser johndow

# Set your location to AD so you can work with the ACL
set-location AD:

# Get the ACL for your thing and make a reference to it
$MyThingsAcl = Get-ACL -Path $MyThing

# View the SDDL
($MyThingsAcl).Sddl

# Get a count of how many characters are in the ACL
(($MyThingsAcl).Sddl).Length

# Get a count of how many ACE rules you have in the ACL
((($MyThingsAcl).Sddl).Split("`)")).Count

# Get a list of all the unique rules in the ACL
((($MyThingsAcl).Sddl).Split("`(")).Trim(")")

Open in new window


This might be a start to help you get to something more meaningful

If you pipe it through Get-Member, you can see all the methods and properties available to work with.

# Edit:  I updated the code sample with some comments and cleaned it up a bit
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 41860704
Hi @Sam. firstly sorry not not getting to you sooner I have been away. in response to your first question the answer is 'with regard to token bloat and poor performance. I am see conflicting views where by some say 1800 entries on an object and other say 300 can cause issue. And second response - looks exciting, I'm going to tey tbose one liners tomorrow morning and report back to you.
Thank you thus far.
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 41885276
incredibly thorough low level description once again justifying the cost of the yearly subscription. Thank you.
1

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question