ACL Diagnostics (ACLDiag.exe) (ST)

Most often, an administrator views and modifies the security settings (an Access Control List, ACL) on an Active Directory object by using the Security tab of the object's Properties window. This window can be opened from an appropriate administrative snap-in. Sometimes, however, it is more convenient to analyze the ACL lists in a "plain text" form. The ACLDiag tool will allow an administrator to view all the information about a directory object's security settings. Any user can run ACLDiag, but the tool's output will depend on the user's rights to view that object (or some other objects).

The ACLDiag's options will be discussed in examples of the following section. (You might prefer to use the DsACLs tool discussed later; it does not have some of the features that ACLDiag does, but it allows ACL modifications and seems to be more reliable.)

Note 

It is necessary to note that this tool requires quite a long time to run, especially when the /geteffective parameter is specified and produces an output that should usually be redirected to a file.

Viewing All Permissions

ACLDiag can display (in a readable or tab-delimited form) all directly defined or inherited permissions on an Active Directory object, as well as the audit settings. The tool's output is structured to help an administrator to analyze information. Essentially, the tool has two subtests: Security Diagnosis (you may skip this by using the /skip parameter) and Effective Rights Diagnossis. Let us see, for example, in which form ACLDiag displays permissions for an OU. (For clarity, the output section's titles are in bold.)

    C:\>acldiag "OU=Staff, DC=net, DC=dom"    Security Diagnosis for OU=Staff, DC=net, DC=dom    Description            Owner: NET\Domain Admins            Permissions effective on the object:                       Allow NT AUTHORITY\Authenticated Users Read all properties                       Allow NT AUTHORITY\Authenticated Users List contents                       Allow NT AUTHORITY\Authenticated Users List object                       Allow NET\Domain Admins Create all subobjects                       Allow NET\Domain Admins Delete all subobjects    ...    Permissions inherited by subobjects:           Inherit to All Subobjects:                       Allow BUILTIN\Administrators Create all subobjects                       (Inherited permission from DC=net, DC=dom)                       Allow BUILTIN\Administrators Read all properties                       (Inherited permission from DC=net, DC=dom)    ...           Inherit to Group objects only:    ...           Inherit to User objects only:    ...           Inherit to InetOrgPerson objects only:    ...    Auditing effective on this object:                    Audit Successful and Failed Create all subobjects    attempts by \Everyone                    Audit Successful and Failed Delete all subobjects    attempts by \Everyone    ...    Auditing inherited to subobjects:           Inherit to All Subobjects:                   Audit Successful and Failed Create all subobjects    attempts by \Everyone                   Audit Successful and Failed Delete all subobjects    attempts by \Everyone    ... 

Note 

As you can see from above, there is a new security principle in Windows .NET — an object type named inetOrgPerson. Naturally, you can create objects of that type and assign permissions to them

Viewing Effective Rights

To view the effective rights for all or some users or groups, use the /geteffective parameter. For example, the following command displays rights on an OU for all users and groups. If the rights are not defined directly for a user or group, the corresponding output section will be empty. As you can see, detailed information on each object's permissions is given.

    C:\>acldiag "OU=Staff, DC=net, DC=dom" /geteffective: * /skip    Security Diagnosis for OU=Staff, DC=net, DC=dom    Effective Rights Diagnosis    NET\Domain Admins:                       Can Modify Membership (via NET\Domain Admins membership)                       All control accesses for class Organizational Unit (via    NET\Domain Admins membership)                       Can List object (via NET\Domain Admins membership)                       Can List contents (via NET\Domain Admins membership)                       Write all properties for class Organizational Unit (via    NET\Domain Admins membership)                       Read all properties for class Organizational Unit (via    NET\Domain Admins membership)                       Delete all subobjects of class Organizational Unit (via    NET\Domain Admins membership)                       Create all subobjects of class Organizational Unit (via    NET\Domain Admins membership)    JSmith@net.dom:                       Can List contents                       Read all properties for class Organizational Unit    NET\Staff-Admins:                       Delete all subobjects of class Organizational Unit (via    NET\Staff-Admins membership)                       Create all subobjects of class Organizational Unit (via    NET\Staff-Admins membership)    NET\Enterprise Admins:                       Can Modify Membership                       All control accesses for class Organizational Unit                       Can List object                       Can List contents                       Write all properties for class Organizational Unit                       Read all properties for class Organizational Unit                       Delete all subobjects of class Organizational Unit (via                       NET\Enterprise Admins membership)                       Create all subobjects of class Organizational Unit 

Verifying Delegation of Control

ACLDiag allows an administrator to check whether the Delegation of Control Wizard has been run for an object, and whether or not this wizard has been run successfully. Let us consider an example. In the following scenario, a user jsmith@net.dom and a group Staff-Admins@net.dom have received specific administrative rights over the Staff OU. (Remember that in Windows .NET, there are 11 common administrative tasks for OU objects; in Windows 2000 — only six tasks.) By using a command similar to the following, you can easily determine who has the delegated rights and which rights these are:

    C:\>acldiag "OU=Staff, DC=net, DC=dom" /chkdeleg _skip    Security Diagnosis for OU=Staff, DC=net, DC=dom    Delegation Template Diagnosis:            Create, delete, and manage user accounts allowed to NET\Staff-Admins                    Status: OK                    Applies on this object: YES                    Inherited from parent: NO            Reset user passwords and force password change at next logon            allowed to JSmith@net.dom                    Status: OK                    Applies on this object: YES                    Inherited from parent: NO            Read all user information allowed to JSmith@net.dom                    Status: OK                    Applies on this object: YES                    Inherited from parent: NO            Create, delete and manage groups allowed to NET\Staff-Admins                    Status: MISCONFIGURED                    Applies on this object: YES                    Inherited from parent: NO            Modify the membership of a group                    Status: NOT PRESENT            Manage Group Policy links allowed to NET\Staff-Admins                    Status: OK                    Applies on this object: YES                    Inherited from parent: NO            Generate Resultant Set of Policy (Planning)                    Status: NOT PRESENT            Generate Resultant Set of Policy (Logging)                    Status: NOT PRESENT            Create, delete, and manage inetOrgPerson accounts                    Status: NOT PRESENT            Reset inetOrgPerson passwords and force password change at next            logon allowed to JSmith@net.dom                    Status: OK                    Applies on this object: YES                    Inherited from parent: NO            Read all inetOrgPerson information                    Status: NOT PRESENT 

Notice that if a common task has not been delegated, the tool reports Status as NOT PRESENT. As you can see, one task's status is MISCONFIGURED. (In this case, one of the ACEs composing that administrative task has been deleted.) If the /fixdeleg parameter cannot fix the problem, you should run the Delegation of Control Wizard again. You may also run the DsACLs.exe utility with the /s parameter, which resets all permissions on the object to schema defaults. (Use this option with caution! See the "Restoring Security Settings" section in this chapter.)

To fix delegated control settings, use the following command:

    C:\>acldiag "OU=Staff, DC=net, DC=dom" /chkdeleg /fixdeleg /skip 

The command verifies all permissions, and if some permission is missed, the program asks if you want to fix the problem; for example:

        Create, delete and manage groups allowed to NET\Staff-Admins                Status: MISCONFIGURED                Applies on this object: YES                Inherited from parent: NO                Do you want to fix this delegation? (y/n)y 

Comparisons with Schema Default Permissions

To verify whether an Active Directory object retains all the permissions that were set at the moment of its creation, use a command similar the following:

    C:\>acldiag "OU=Staff, DC=net, DC=dom" /schema /skip    Security Diagnosis for OU=Staff, DC=net, DC=dom    Schema Defaults Diagnosis            Schema defaults: Present            Obtained            : At CREATION 

In the case shown, the tool reports that the object kept all permissions assigned upon its creation. If some permission has been removed, the tool displays the message

    Schema defaults: Partial 

To see the default (schema) permissions on a directory object, you should refer to the Schema partition. For an OU object, use a command similar to the following:

    C:\>acldiag "CN=Organizational-Unit, CN=Schema, CN=Configuration,       DC=net, DC=dom" 



Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net