|
|
Most often, an administrator views and modifies the security settings (an Access Control List, ACL) on an Active Directory object by using the Security tab of the object's Properties window. This window can be opened from an appropriate administrative snap-in. Sometimes, however, it is more convenient to analyze the ACL lists in a "plain text" form. The ACLDiag tool will allow an administrator to view all the information about a directory object's security settings. Any user can run ACLDiag, but the tool's output will depend on the user's rights to view that object (or some other objects).
The ACLDiag's options will be discussed in examples of the following section. (You might prefer to use the DsACLs tool discussed later; it does not have some of the features that ACLDiag does, but it allows ACL modifications and seems to be more reliable.)
Note | It is necessary to note that this tool requires quite a long time to run, especially when the /geteffective parameter is specified and produces an output that should usually be redirected to a file. |
ACLDiag can display (in a readable or tab-delimited form) all directly defined or inherited permissions on an Active Directory object, as well as the audit settings. The tool's output is structured to help an administrator to analyze information. Essentially, the tool has two subtests: Security Diagnosis (you may skip this by using the /skip parameter) and Effective Rights Diagnossis. Let us see, for example, in which form ACLDiag displays permissions for an OU. (For clarity, the output section's titles are in bold.)
C:\>acldiag "OU=Staff, DC=net, DC=dom" Security Diagnosis for OU=Staff, DC=net, DC=dom Description Owner: NET\Domain Admins Permissions effective on the object: Allow NT AUTHORITY\Authenticated Users Read all properties Allow NT AUTHORITY\Authenticated Users List contents Allow NT AUTHORITY\Authenticated Users List object Allow NET\Domain Admins Create all subobjects Allow NET\Domain Admins Delete all subobjects ... Permissions inherited by subobjects: Inherit to All Subobjects: Allow BUILTIN\Administrators Create all subobjects (Inherited permission from DC=net, DC=dom) Allow BUILTIN\Administrators Read all properties (Inherited permission from DC=net, DC=dom) ... Inherit to Group objects only: ... Inherit to User objects only: ... Inherit to InetOrgPerson objects only: ... Auditing effective on this object: Audit Successful and Failed Create all subobjects attempts by \Everyone Audit Successful and Failed Delete all subobjects attempts by \Everyone ... Auditing inherited to subobjects: Inherit to All Subobjects: Audit Successful and Failed Create all subobjects attempts by \Everyone Audit Successful and Failed Delete all subobjects attempts by \Everyone ...
Note | As you can see from above, there is a new security principle in Windows .NET — an object type named inetOrgPerson. Naturally, you can create objects of that type and assign permissions to them |
To view the effective rights for all or some users or groups, use the /geteffective parameter. For example, the following command displays rights on an OU for all users and groups. If the rights are not defined directly for a user or group, the corresponding output section will be empty. As you can see, detailed information on each object's permissions is given.
C:\>acldiag "OU=Staff, DC=net, DC=dom" /geteffective: * /skip Security Diagnosis for OU=Staff, DC=net, DC=dom Effective Rights Diagnosis NET\Domain Admins: Can Modify Membership (via NET\Domain Admins membership) All control accesses for class Organizational Unit (via NET\Domain Admins membership) Can List object (via NET\Domain Admins membership) Can List contents (via NET\Domain Admins membership) Write all properties for class Organizational Unit (via NET\Domain Admins membership) Read all properties for class Organizational Unit (via NET\Domain Admins membership) Delete all subobjects of class Organizational Unit (via NET\Domain Admins membership) Create all subobjects of class Organizational Unit (via NET\Domain Admins membership) JSmith@net.dom: Can List contents Read all properties for class Organizational Unit NET\Staff-Admins: Delete all subobjects of class Organizational Unit (via NET\Staff-Admins membership) Create all subobjects of class Organizational Unit (via NET\Staff-Admins membership) NET\Enterprise Admins: Can Modify Membership All control accesses for class Organizational Unit Can List object Can List contents Write all properties for class Organizational Unit Read all properties for class Organizational Unit Delete all subobjects of class Organizational Unit (via NET\Enterprise Admins membership) Create all subobjects of class Organizational Unit
ACLDiag allows an administrator to check whether the Delegation of Control Wizard has been run for an object, and whether or not this wizard has been run successfully. Let us consider an example. In the following scenario, a user jsmith@net.dom and a group Staff-Admins@net.dom have received specific administrative rights over the Staff OU. (Remember that in Windows .NET, there are 11 common administrative tasks for OU objects; in Windows 2000 — only six tasks.) By using a command similar to the following, you can easily determine who has the delegated rights and which rights these are:
C:\>acldiag "OU=Staff, DC=net, DC=dom" /chkdeleg _skip Security Diagnosis for OU=Staff, DC=net, DC=dom Delegation Template Diagnosis: Create, delete, and manage user accounts allowed to NET\Staff-Admins Status: OK Applies on this object: YES Inherited from parent: NO Reset user passwords and force password change at next logon allowed to JSmith@net.dom Status: OK Applies on this object: YES Inherited from parent: NO Read all user information allowed to JSmith@net.dom Status: OK Applies on this object: YES Inherited from parent: NO Create, delete and manage groups allowed to NET\Staff-Admins Status: MISCONFIGURED Applies on this object: YES Inherited from parent: NO Modify the membership of a group Status: NOT PRESENT Manage Group Policy links allowed to NET\Staff-Admins Status: OK Applies on this object: YES Inherited from parent: NO Generate Resultant Set of Policy (Planning) Status: NOT PRESENT Generate Resultant Set of Policy (Logging) Status: NOT PRESENT Create, delete, and manage inetOrgPerson accounts Status: NOT PRESENT Reset inetOrgPerson passwords and force password change at next logon allowed to JSmith@net.dom Status: OK Applies on this object: YES Inherited from parent: NO Read all inetOrgPerson information Status: NOT PRESENT
Notice that if a common task has not been delegated, the tool reports Status as NOT PRESENT. As you can see, one task's status is MISCONFIGURED. (In this case, one of the ACEs composing that administrative task has been deleted.) If the /fixdeleg parameter cannot fix the problem, you should run the Delegation of Control Wizard again. You may also run the DsACLs.exe utility with the /s parameter, which resets all permissions on the object to schema defaults. (Use this option with caution! See the "Restoring Security Settings" section in this chapter.)
To fix delegated control settings, use the following command:
C:\>acldiag "OU=Staff, DC=net, DC=dom" /chkdeleg /fixdeleg /skip
The command verifies all permissions, and if some permission is missed, the program asks if you want to fix the problem; for example:
Create, delete and manage groups allowed to NET\Staff-Admins Status: MISCONFIGURED Applies on this object: YES Inherited from parent: NO Do you want to fix this delegation? (y/n)y
To verify whether an Active Directory object retains all the permissions that were set at the moment of its creation, use a command similar the following:
C:\>acldiag "OU=Staff, DC=net, DC=dom" /schema /skip Security Diagnosis for OU=Staff, DC=net, DC=dom Schema Defaults Diagnosis Schema defaults: Present Obtained : At CREATION
In the case shown, the tool reports that the object kept all permissions assigned upon its creation. If some permission has been removed, the tool displays the message
Schema defaults: Partial
To see the default (schema) permissions on a directory object, you should refer to the Schema partition. For an OU object, use a command similar to the following:
C:\>acldiag "CN=Organizational-Unit, CN=Schema, CN=Configuration, DC=net, DC=dom"
|
|