IAM402 A Directory Services Geek’s View On Access Control Entries (ACE)

IAM402 A Directory Services Geek’s View On Access Control Entries (ACE)

Ulf B. Simon-Weidner

You’ll have been at this session of me at Tech·Ed Europe: IT Forum 2006 in Barcelona? Great – I hope you liked it – and you are always welcome to provide feedback via the “Email”-Link on the left side.


Here you’ll find the examples and scripts which I mentioned during my session

Stay secure: For your security the executable scripts are provided as Text-Documents. Only run them in your test-environment if you understand what they are doing.


 ntSecurityDescriptor_vbs.txt This is an example for displaying the properties of the ntSecurityDescriptor
 MSDN: SDDL MSDN: Security Descriptor Definition Language
You can use various scripting technologies to put SIDs directly into ACEs. One good example is SubInAcl:
subinacl /file \\server\share\test /grant=S-1-5-21-1234567890-1234567890-1234567890-99999=F
This will grant permissions to the specified SID remotely. When using SubInAcl make sure you downloaded the current version at http://www.microsoft.com/downloads/results.aspx?pocId=&freetext=subinacl.

Example Commandlines for Scripting Delegation using DSACLS:

List Rights:
dsacls “ou=Berlin,ou=MyUsers,dc=example,dc=com”

Allow to Write the Property “lockoutTime” on User-Accounts:
dsacls “ou=Berlin,ou=MyUsers,dc=example,dc=com” /A /G example\usw:WP;lockoutTime;user /I:S

Allow to Write the property “my-CostCenter” on User-Accounts (this is a custom schema-extension):
dsacls “ou=Berlin,ou=MyUsers,dc=example,dc=com” /A /G example\usw:WP;my-CostCenter;user /I:S

Allow to write the property “Members” on Group-Objects:
dsacls “ou=Berlin,ou=MyGroups,dc=example,dc=com” /A /G example\usw:WP;member;group /I:S

If you want to know what rights to delegate:
Run compattrib.vbs with the parameter distinguishedname and the objecttype, e.g. “compattrib.vbs cn=ulf,ou=myusers,dc=example,dc=com user”. When prompted change that object as admin, then click OK. A differencing file is being created which will show you the difference. Important is what has been changed and will be replicated, as well as the rights changed.

After the session I got questions on how I did execute my script via Active Directory-Users and -Computers.
To do this you just need to configure it in the configuration partition:
cn=user-display,cn=DisplaySpecifiers,cn=***,dc=… (*** is the number of the Language of the OS – 409 is US, 407 is German).
Then add the following value to the attribute adminContextMenu:

1,Compare Attributes,compattrib.vbs

The “1” is selecting the order on which the menuitems appear, you can change this on other value which are in this attribute as well. The second parameter is the Text of the menuitem, and the third one is the command (eventually with path) to execute. Now the menuitem will show up on all User-Objects within ADUC across the forest – however only if the script is available you are able to execute it.

I recommend to only do this in a Testenvironment or after solid testing.

 delegwiz_add.inf Example for extending the delegation wizard. You’ll find the file to modify in the Windows Directory in the INF-Folder: delegwiz.inf
 ACE-Bug on WindowsServerFaq I have an example on my website as well (used it when demonstrating an still existing error in ADUC)

I’ve also showed an example for extending user-interfaces with keeping delegated administration in mind. You only need to query “allowedAttributesEffective” to figure out which attributes the current user has write access to. Then disable changing those attribute-values. For read-access you need to put valid error-handling in place.

An example of a extended user-interface with delegated administration in place

Also look at those sources:

The Book “Active Directory” from Joe Richards and Robbie Allen (o’Reilley) is the first one I’ve seen providing you with the scripting information how to pull ACEs. I was proud to be one of the technical reviewers of this popular book. I wish those informations would have been available a couple years ago when I dived into ACLs – would have saved me a lot of work 😉

The “Active Directory Cookbook” from Laura Hunter and Robbie Allen (o’Reilley) provides a lot of scripting examples as well.

Sakari Kouti – who wrote a great book on “Active Directory” (together with Mika Seitsonen, Addison Wesley) – has a script on his site, look at http://www.kouti.com/scripts.htm and check out his ACLReport.vbs.

Questions / Feedback

I’m happy to answer questions – but since I’m getting a lot of mails they are not on my top priority – so bear with me. However if you want to provide feedback about the session or you have additional questions do not hesitate to contact me via the “Email”-Link on the left side.

Thanks for attending the sessions and for lot of the valuable feedback and discussions!


Ulf B. Simon-Weidner

Leave a Reply