Posts Tagged ‘Active Directory’
Posted by chrisbeams on May 12, 2009
I wonder how many people out there have a proven domain and/or forest recovery process. We can all follow the MS White paper but it’s a lengthly process. What happens if your company wants a 4 hour turn around of a multi domain globally distributed forest. How likely is domain or forest failure anyhow? I think a schema change is a possibility but a very remote one. I guess more likely is user error, deleting an Ou perhaps.
So really we need object recovery, and potentialy worst case scenario recovery for a corrupt schema.
I have used the Quest product and also normal ntbackup. The Quest product is v cool but also costs money which in these times is tricky.
I am going to have a play in my VM lab at home and upload my results
Cheers
Chris
Posted in Active Directory | Tagged: Active Directory, Recovery | 3 Comments »
Posted by chrisbeams on May 10, 2009
four main components of a security descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:).
O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)… (string_acen)
S:sacl_flags(string_ace1)(string_ace2)… (string_acen)
for example
“O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)”
Owner = Account Operators
Group = Domain Admin
Dacl = everything in the bracket
Sacl = everything after the S: in the brackets
So this gives you :
Revision: 0x00000001
Control: 0x0004
SE_DACL_PRESENT
Owner: (S-1-5-32-548)
PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Others(0x0000003f)
Ace Sid : (S-1-0-0)
SACL
Revision: 0x02
Size: 0x001c
AceCount: 0x0001
Ace[00]
AceType: 0x02 (SYSTEM_AUDIT_ACE_TYPE)
AceSize: 0x0014
InheritFlags: 0xc0
SUCCESSFUL_ACCESS_ACE_FLAG
FAILED_ACCESS_ACE_FLAG
Access Mask: 0x000d002b
DELETE
WRITE_DAC
WRITE_OWNER
Others(0x0000002b)
Ace Sid: (S-1-1-0)
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | 1 Comment »
Posted by chrisbeams on May 10, 2009
This displays the object you are permissioned on (each user, group, print que)
Inherited object type: user – bf967aba-0de6-11d0-a285-00aa003049e2
or
Inherited object type: group – bf967a9c-0de6-11d0-a285-00aa003049e2
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | Leave a Comment »
Posted by chrisbeams on May 10, 2009
This shows the attribute or part of the object you are permissioned on eg:
CR;ab721a53-1e2f-11d0-9819-00aa0040529b |
Change password |
CR;00299570-246d-11d0-a768-00aa006e0529 |
Reset password |
or
Object Ace Type: Reset Password – 00299570-246d-11d0-a768-00aa006e0529 (in ldp)
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | Leave a Comment »
Posted by chrisbeams on May 10, 2009
“A” |
SDDL_ACCESS_ALLOWED |
ACCESS_ALLOWED_ACE_TYPE |
“D” |
SDDL_ACCESS_DENIED |
ACCESS_DENIED_ACE_TYPE |
“OA” |
SDDL_OBJECT_ACCESS_ALLOWED |
ACCESS_ALLOWED_OBJECT_ACE_TYPE |
“OD” |
SDDL_OBJECT_ACCESS_DENIED |
ACCESS_DENIED_OBJECT_ACE_TYPE |
“AU” |
SDDL_AUDIT |
SYSTEM_AUDIT_ACE_TYPE |
“AL” |
SDDL_ALARM |
SYSTEM_ALARM_ACE_TYPE |
“OU” |
SDDL_OBJECT_AUDIT |
SYSTEM_AUDIT_OBJECT_ACE_TYPE |
“OL” |
SDDL_OBJECT_ALARM |
SYSTEM_ALARM_OBJECT_ACE_TYPE |
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | Leave a Comment »
Posted by chrisbeams on May 10, 2009
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
all these are explained in the previous posts they dont all have to have data for example:
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
creates
AceType: 0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags: 0x00
Access Mask: 0x100e003f
READ_CONTROL
WRITE_DAC
WRITE_OWNER
GENERIC_ALL
Other access rights(0x0000003f)
Ace Sid : (S-1-0-0)
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | Leave a Comment »
Posted by chrisbeams on May 10, 2009
So we have whats applied from where , now what possible permissions can you have:
“RP” |
SDDL_READ_PROPERTY |
ADS_RIGHT_DS_READ_PROP |
“WP” |
SDDL_WRITE_PROPERTY |
ADS_RIGHT_DS_WRITE_PROP |
“CC” |
SDDL_CREATE_CHILD |
ADS_RIGHT_DS_CREATE_CHILD |
“DC” |
SDDL_DELETE_CHILD |
ADS_RIGHT_DS_DELETE_CHILD |
“LC” |
SDDL_LIST_CHILDREN |
ADS_RIGHT_ACTRL_DS_LIST |
“SW” |
SDDL_SELF_WRITE |
ADS_RIGHT_DS_SELF |
“LO” |
SDDL_LIST_OBJECT |
ADS_RIGHT_DS_LIST_OBJECT |
“DT” |
SDDL_DELETE_TREE |
ADS_RIGHT_DS_DELETE_TREE |
“CR” |
SDDL_CONTROL_ACCESS |
ADS_RIGHT_DS_CONTROL_ACCESS |
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | Leave a Comment »
Posted by chrisbeams on May 10, 2009
An Ace_flag describes hows auditing or aces have been applied to an object
ACE flags string
|
Constant in Sddl.h
|
AceFlag value
|
“CI” |
SDDL_CONTAINER_INHERIT |
CONTAINER_INHERIT_ACE |
“OI” |
SDDL_OBJECT_INHERIT |
OBJECT_INHERIT_ACE |
“NP” |
SDDL_NO_PROPAGATE |
NO_PROPAGATE_INHERIT_ACE |
“IO” |
SDDL_INHERIT_ONLY |
INHERIT_ONLY_ACE |
“ID” |
SDDL_INHERITED |
INHERITED_ACE |
“SA” |
SDDL_AUDIT_SUCCESS |
SUCCESSFUL_ACCESS_ACE_FLAG |
“FA” |
SDDL_AUDIT_FAILURE |
FAILED_ACCESS_ACE_FLAG |
Posted in Active Directory | Tagged: Active Directory, Security Descriptor | Leave a Comment »
Posted by chrisbeams on May 10, 2009
Trying to understand how DACL breaks down on an OU for example:
Access_Allowed_ACE = gives permissions on an object
Access_Allowed_object_ACE = gives permissions on an object, property set or property
so if you look in LDP:
Access_Allowed_ACE will only have a Object Ace Sid refering to the group that has the permission
Object Ace Sid: DOMAINA\Domain Admins S-1-5-21-xxxx
Access_Allowed_object_ACE will have an Object Ace Sid refering to the group that has the permission and a Object Ace Type which will show that the permission is on.
Object Ace Type: computer – bf967a86-0de6-11d0-a285-00aa003049e2
Object Ace Sid: S-1-5-32-548
Posted in Active Directory | Tagged: ACE, Active Directory | Leave a Comment »
Posted by chrisbeams on May 10, 2009
Whilst working out users controls (see previous post) I thought I would put something up for sAMAccountTypes as well ….
A sAMAccountType is a single valued indexed(present in the GC) attibute that uniquely defines user objects:
268435456 SAM_GROUP_OBJECT
268435457 SAM_NON_SECURITY_GROUP_OBJECT
536870912 SAM_ALIAS_OBJECT
536870913 SAM_NON_SECURITY_ALIAS_OBJECT
805306368 SAM_NORMAL_USER_ACCOUNT
805306369 SAM_MACHINE_ACCOUNT
805306370 SAM_TRUST_ACCOUNT
1073741824 SAM_APP_BASIC_GROUP
1073741825 SAM_APP_QUERY_GROUP
2147483647 SAM_ACCOUNT_TYPE_MAX
Posted in Active Directory | Tagged: Active Directory, sAMAccountType | Leave a Comment »