Chris Beams’s Blog

Active Directory and more….

Posts Tagged ‘Active Directory’

Active Directory – Recovery

Posted by chrisbeams on May 12, 2009

I wonder how many people out there have a proven domain and/or forest recovery process. We can all follow the MS White paper but it’s a lengthly process. What happens if your company wants a 4 hour turn around of a multi domain globally distributed forest. How likely is domain or forest failure anyhow? I think a schema change is a possibility but a very remote one. I guess more likely is user error, deleting an Ou perhaps.

So really we need object recovery, and potentialy worst case scenario recovery for a corrupt schema.

I have used the Quest product and also normal ntbackup. The Quest product is v cool but also costs money which in these times is tricky.

I am going to have a play in my VM lab at home and upload my results

Cheers
Chris

Posted in Active Directory | Tagged: , | 3 Comments »

Security Descriptor – String Format

Posted by chrisbeams on May 10, 2009

four main components of a security descriptor: owner (O:), primary group (G:), DACL (D:), and SACL (S:).

O:owner_sid
G:group_sid
D:dacl_flags(string_ace1)(string_ace2)… (string_acen)
S:sacl_flags(string_ace1)(string_ace2)… (string_acen)

for example

“O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)S:(AU;SAFA;WDWOSDWPCCDCSW;;;WD)”

Owner = Account Operators

Group = Domain Admin

Dacl = everything in the bracket

Sacl = everything after the S: in the brackets

So this gives you :

 Revision:  0x00000001
    Control:   0x0004
        SE_DACL_PRESENT
    Owner: (S-1-5-32-548)
    PrimaryGroup: (S-1-5-21-397955417-626881126-188441444-512)
DACL
    Revision: 0x02
    Size:     0x001c
    AceCount: 0x0001
    Ace[00]
        AceType:       0x00 (ACCESS_ALLOWED_ACE_TYPE)
        AceSize:       0x0014
        InheritFlags:  0x00
        Access Mask:   0x100e003f
                            READ_CONTROL
                            WRITE_DAC
                            WRITE_OWNER
                            GENERIC_ALL
                            Others(0x0000003f)
        Ace Sid      : (S-1-0-0)
SACL
Revision: 0x02
        Size:     0x001c
        AceCount: 0x0001
        Ace[00]
            AceType:       0x02 (SYSTEM_AUDIT_ACE_TYPE)
            AceSize:       0x0014
            InheritFlags:  0xc0
                SUCCESSFUL_ACCESS_ACE_FLAG
                FAILED_ACCESS_ACE_FLAG
            Access Mask:    0x000d002b
                                DELETE
                                WRITE_DAC
                                WRITE_OWNER
                                Others(0x0000002b)
            Ace Sid:       (S-1-1-0)

Posted in Active Directory | Tagged: , | 1 Comment »

Security Descriptor – inherit_object_guid or Inherited object type

Posted by chrisbeams on May 10, 2009

 This displays the object you are permissioned on (each user, group, print que)

Inherited object type: user – bf967aba-0de6-11d0-a285-00aa003049e2

or

Inherited object type: group – bf967a9c-0de6-11d0-a285-00aa003049e2

Posted in Active Directory | Tagged: , | Leave a Comment »

Security Descriptor – object_guid type or Object Ace Type

Posted by chrisbeams on May 10, 2009

This shows the attribute or part of the object you are permissioned on eg:

CR;ab721a53-1e2f-11d0-9819-00aa0040529b Change password
CR;00299570-246d-11d0-a768-00aa006e0529 Reset password

or

Object Ace Type:  Reset Password – 00299570-246d-11d0-a768-00aa006e0529 (in ldp)

Posted in Active Directory | Tagged: , | Leave a Comment »

Active Directory – Security Descriptor – ace_type

Posted by chrisbeams on May 10, 2009

“A” SDDL_ACCESS_ALLOWED ACCESS_ALLOWED_ACE_TYPE
“D” SDDL_ACCESS_DENIED ACCESS_DENIED_ACE_TYPE
“OA” SDDL_OBJECT_ACCESS_ALLOWED ACCESS_ALLOWED_OBJECT_ACE_TYPE
“OD” SDDL_OBJECT_ACCESS_DENIED ACCESS_DENIED_OBJECT_ACE_TYPE
“AU” SDDL_AUDIT SYSTEM_AUDIT_ACE_TYPE
“AL” SDDL_ALARM SYSTEM_ALARM_ACE_TYPE
“OU” SDDL_OBJECT_AUDIT SYSTEM_AUDIT_OBJECT_ACE_TYPE
“OL” SDDL_OBJECT_ALARM SYSTEM_ALARM_OBJECT_ACE_TYPE

Posted in Active Directory | Tagged: , | Leave a Comment »

Active Directory – Security Descriptor – ace strings in a security descriptor

Posted by chrisbeams on May 10, 2009

  

ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
 all these are explained in the previous posts they dont all have to have data for example:
(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)
creates
AceType:       0x00 (ACCESS_ALLOWED_ACE_TYPE)
AceFlags:      0x00
Access Mask:   0x100e003f
                    READ_CONTROL
                    WRITE_DAC
                    WRITE_OWNER
                    GENERIC_ALL
                    Other access rights(0x0000003f)
Ace Sid      : (S-1-0-0)

Posted in Active Directory | Tagged: , | Leave a Comment »

Active Directory – Security Descriptor – ace rights

Posted by chrisbeams on May 10, 2009

So we have whats applied from where , now what possible permissions can you have:
“RP” SDDL_READ_PROPERTY ADS_RIGHT_DS_READ_PROP
“WP” SDDL_WRITE_PROPERTY ADS_RIGHT_DS_WRITE_PROP
“CC” SDDL_CREATE_CHILD ADS_RIGHT_DS_CREATE_CHILD
“DC” SDDL_DELETE_CHILD ADS_RIGHT_DS_DELETE_CHILD
“LC” SDDL_LIST_CHILDREN ADS_RIGHT_ACTRL_DS_LIST
“SW” SDDL_SELF_WRITE ADS_RIGHT_DS_SELF
“LO” SDDL_LIST_OBJECT ADS_RIGHT_DS_LIST_OBJECT
“DT” SDDL_DELETE_TREE ADS_RIGHT_DS_DELETE_TREE
“CR” SDDL_CONTROL_ACCESS ADS_RIGHT_DS_CONTROL_ACCESS

Posted in Active Directory | Tagged: , | Leave a Comment »

Active Directory – Security Descriptor – ace_flags

Posted by chrisbeams on May 10, 2009

An Ace_flag describes hows auditing or aces have been applied to an object

ACE flags string

Constant in Sddl.h

AceFlag value

“CI” SDDL_CONTAINER_INHERIT CONTAINER_INHERIT_ACE
“OI” SDDL_OBJECT_INHERIT OBJECT_INHERIT_ACE
“NP” SDDL_NO_PROPAGATE NO_PROPAGATE_INHERIT_ACE
“IO” SDDL_INHERIT_ONLY INHERIT_ONLY_ACE
“ID” SDDL_INHERITED INHERITED_ACE
“SA” SDDL_AUDIT_SUCCESS SUCCESSFUL_ACCESS_ACE_FLAG
“FA” SDDL_AUDIT_FAILURE FAILED_ACCESS_ACE_FLAG

Posted in Active Directory | Tagged: , | Leave a Comment »

Security Descriptor – ACE – Access to objects in Active Directory – the basics

Posted by chrisbeams on May 10, 2009

Trying to understand how DACL breaks down on an OU for example:

Access_Allowed_ACE  = gives permissions on an object

Access_Allowed_object_ACE = gives permissions on an object, property set or property

so if you look in LDP:

Access_Allowed_ACE  will only have a Object Ace Sid refering to the group that has the permission

Object Ace Sid:   DOMAINA\Domain Admins S-1-5-21-xxxx

Access_Allowed_object_ACE will have an Object Ace Sid refering to the group that has the permission and a Object Ace Type which will show that the permission is on.

Object Ace Type:  computer – bf967a86-0de6-11d0-a285-00aa003049e2
Object Ace Sid:   S-1-5-32-548

Posted in Active Directory | Tagged: , | Leave a Comment »

Active Directory – sAMAccountType

Posted by chrisbeams on May 10, 2009

Whilst working out users controls (see previous post) I thought I would put something up for sAMAccountTypes as well ….

A sAMAccountType is a single valued indexed(present in the GC) attibute that uniquely defines user objects:

268435456 SAM_GROUP_OBJECT
268435457 SAM_NON_SECURITY_GROUP_OBJECT
536870912 SAM_ALIAS_OBJECT
536870913 SAM_NON_SECURITY_ALIAS_OBJECT
805306368 SAM_NORMAL_USER_ACCOUNT
805306369 SAM_MACHINE_ACCOUNT
805306370 SAM_TRUST_ACCOUNT
1073741824 SAM_APP_BASIC_GROUP
1073741825 SAM_APP_QUERY_GROUP
2147483647 SAM_ACCOUNT_TYPE_MAX

Posted in Active Directory | Tagged: , | Leave a Comment »