The Security Descriptor Definition Language of Love (Part 1)

Defining, The Security Descriptor Definition Language - Part 1 » D' Technology Weblog: Technology, Blogging, Tips, Tricks, Computer, Hardware, Software, Tutorials, Internet, Web, Gadgets, Fashion, LifeStyle, Entertainment, News and more by Dee

Mon, 21 Apr 2008 07:59:20 GMT

PingBack from http://www.ditii.com/2008/04/20/defining-the-security-descriptor-definition-language-part-1/

The Security Descriptor Definition Language of Love (Part 2)

Ask the Directory Services Team — Wed, 07 May 2008 19:35:57 GMT

Hi. Jim here from DS here with a follow up to my SDDL blog part I. At the end of my last post I promised

Event Logging policy settings in Windows Server 2008 and Vista

Ask the Directory Services Team — Tue, 12 Aug 2008 18:04:56 GMT

Mike here again. Today I’m focusing on policy settings for the Event Logging Service. For clarity, these

SDDL: Учимся описывать безопасность. Часть 2.

ИТ, ИБ и т.п. — Thu, 25 Sep 2008 10:36:07 GMT

В прошлом выпуске я рассказал, как строится строка SDDL, так что мы теперь можем что-то прочитать на...

re: The Security Descriptor Definition Language of Love (Part 1)

morgands — Fri, 03 Apr 2009 13:10:30 GMT

Hi Jim. Great article(s). What does the GUID part of the ACE do? When looking at some objects from my DS I see for example: (OA;;CCDC;bf967a86-0de6-11d0-a285-00aa003049e2;;AO) (This is from the defaultSecurityDescriptor attribute on the Organizational-Unit object in the Schema partition). Also on W2K8 OUs are always created with and ACE for Everyone that denies DELETE and DELETE TREE, but I cannot find those in the defaultSecurityDescriptor. Where do they come from?

Thanks.

Morgan

re: The Security Descriptor Definition Language of Love (Part 1)

zamij — Sat, 04 Apr 2009 00:48:09 GMT

Hey Morgan,

Thanks for your question. The ObjectType is a GUID representing an object class, attribute, attribute set, or extended right. If present it limits the ACE to the object the GUID represents. The GUID string uses the format returned by the UuidToString function - http://msdn.microsoft.com/en-us/library/aa379352(VS.85).aspx

The GUID in your example "BF967A86-0DE6-11D0-A285-00AA003049E2" is the "Schema-Id-Guid" for the Computer class of objects. The OA indicates - Object Access Allowed which applies to a subset of objects. The AO indicates this access is granted to "Account Operators".

I will get back to you next week on the W2K8 OU question.

Jim

re: The Security Descriptor Definition Language of Love (Part 1)

zamij — Mon, 06 Apr 2009 23:22:12 GMT

Hey Morgan,

The ACE for everyone that denies DELETE and DELETE TREE is set directly on the OU that is created at the time it is created. It can also be unchecked and is not inherited. If you open DSA.msc and enable advanced view and go to the advanced properties on the security tab you will see Everyone - Deny - Special permission. If you do not see that explicit deny ACE, go to the Object tab to make sure "Protect object from accidental deletion" is checked.

I created an OU called Test1 on a 2008 DC in my lab. I ran the following command:

DSACLS "ou=Test1,dc=Contoso,DC=Com"

The explicit deny is always returned first -

Owner: CONTOSO\Domain Admins

Group: CONTOSO\Domain Admins

Access list:

Deny Everyone SPECIAL ACCESS

DELETE

DELETE TREE

In SDDL format -

(D;;DTSD;;;WD)

I only included the SDDL for the "Everyone" group as the SDDL list is quite lengthy for an OU.

D = Deny

DT = Delete Tree

SD = Delete

WD = "Everyone"

I am glad you enjoyed the article.

For more info on this subject go here: http://technet.microsoft.com/enus/library/cc739350.aspx

Jim

re: The Security Descriptor Definition Language of Love (Part 1)

leslinger — Sat, 16 May 2009 07:02:00 GMT

Nice information on where the information is stored in the registry and how it relates to the tools we use. I also found the following articles very useful for deciphering the SDDL format and how to use it for administrative purposes. All you need to know is GR,GW,GA, and GX to grant access rights.

http://networkadminkb.com/Shared%20Documents/Understanding%20the%20SDDL%20permissions%20in%20the%20ACE_String.aspx

http://networkadminkb.com/kb/Knowledge%20Base/Windows2003/How%20to%20Read%20a%20SDDL%20String.aspx