Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

large security descriptors on objects

Posted on 2016-10-18
4
Medium Priority
?
45 Views
Last Modified: 2016-11-13
hi all. my question is general and comes in 2 parts. Anyone know how to view the size of AD large security descriptor objects. and I can't seem to find any decent guides on trouble shooting objects whose security descriptors are getting too large. many thanks.
0
Comment
Question by:Jason Thomas
  • 2
  • 2
4 Comments
 
LVL 6

Expert Comment

by:sAMAccountName
ID: 41850340
Can you define "large"?  I mean are you looking for "extensive/many rules in the ACL" or are you looking for "takes up a ton of memory/bloats the token"?

What kind of objects?  Users/Groups/Computers?
0
 
LVL 6

Accepted Solution

by:
sAMAccountName earned 2000 total points
ID: 41850434
Just messing around with this, I was able to get some info you might find useful:

# Create a reference to the object you want to view
$MyThing = Get-ADUser johndow

# Set your location to AD so you can work with the ACL
set-location AD:

# Get the ACL for your thing and make a reference to it
$MyThingsAcl = Get-ACL -Path $MyThing

# View the SDDL
($MyThingsAcl).Sddl

# Get a count of how many characters are in the ACL
(($MyThingsAcl).Sddl).Length

# Get a count of how many ACE rules you have in the ACL
((($MyThingsAcl).Sddl).Split("`)")).Count

# Get a list of all the unique rules in the ACL
((($MyThingsAcl).Sddl).Split("`(")).Trim(")")

Open in new window


This might be a start to help you get to something more meaningful

If you pipe it through Get-Member, you can see all the methods and properties available to work with.

# Edit:  I updated the code sample with some comments and cleaned it up a bit
0
 
LVL 1

Author Comment

by:Jason Thomas
ID: 41860704
Hi @Sam. firstly sorry not not getting to you sooner I have been away. in response to your first question the answer is 'with regard to token bloat and poor performance. I am see conflicting views where by some say 1800 entries on an object and other say 300 can cause issue. And second response - looks exciting, I'm going to tey tbose one liners tomorrow morning and report back to you.
Thank you thus far.
0
 
LVL 1

Author Closing Comment

by:Jason Thomas
ID: 41885276
incredibly thorough low level description once again justifying the cost of the yearly subscription. Thank you.
1

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question