Sdcheck.exe: Security Descriptor Check Utility

This command-line tool displays the security descriptor for any object stored in Active Directory. The security descriptor contains the access control lists (ACLs) defining the permissions that users have on objects stored in Active Directory.

Notes

You must run SDCheck from the command window.
To enable administrators to determine the effective access controls on an object, SDCheck also displays the object hierarchy and any ACLs that are inherited by the object from its parent.
As changes are made to the ACLs of an object or its parent, these changes are propagated automatically by Active Directory. SDCheck displays the security descriptor propagation metadata, so that administrators can monitor these changes with respect to propagation of inherited ACLs, as well as replication of ACLs from other domain controllers.
As a complement to the replication monitoring tools (Repadmin.exe and Replmon.exe), SDCheck can be used to ensure that domain controllers are up-to-date with one another.

Corresponding UI

There is no corresponding user interface for SDCheck.

Concepts

A security descriptor contains the security information associated with a securable object. Every container and object on the network or in Active Directory has a set of access control information attached to it, known as a security descriptor. Windows XP Professional automatically creates the security descriptor when an object is created.

System Requirements

The following are the system requirements for SDCheck:

Windows XP Professional

File Required

Sdcheck.exe