SDCheck Examples |
|
Open Command Prompt |
In this example, no changes have been applied to the user object (Someone), or the parent organization unit (Sales), since their initial creation. Note the metadata version number.
c:\sdcheck sprocket someone@microsoft.com
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on CN=Someone,OU=Sales,DC=microsoft,DC=com
*** Warning: No values returned for dSCorePropagationData on OU=Sales,DC=microsoft,DC=com
*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes: top person organizationalPerson user
SD: 1012 bytes
Metadata: 04/15/1999 14:53:04 @ SPROCKET.microsoft.com ver: 1
Object: OU=Sales,DC=microsoft,DC=com
Classes: top organizationalUnit
SD: 424 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1
Object: DC=microsoft,DC=com
Classes: top domain domainDNS
SD: 496 bytes
Metadata: 04/15/1999 14:51:32 @ SPROCKET.microsoft.com ver: 4
Checking ACL inheritance ...
Parent: 2 - DC=microsoft,DC=com
Child: 1 - OU=Sales,DC=microsoft,DC=com
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=microsoft,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=microsoft,DC=com
Note that in this example, two additional access control lists
(ACLs) have been added. This can be identified by the version
number increase for the security metadata. One ACL denies
c:\sdcheck sprocket someone@microsoft.com -dumpSD
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on OU=Sales,DC=microsoft,DC=com
*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes: top person organizationalPerson user
SD: 1072 bytes
Metadata: 04/15/1999 14:59:08 @ SPROCKET.microsoft.com ver: 3
History: 04/15/1999 14:59:00 flags(0x1) SD propagation
04/15/1999 14:59:08 flags(0x1) SD propagation
Object: OU=Sales,DC=microsoft,DC=com
Classes: top organizationalUnit
SD: 424 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1
Object: DC=microsoft,DC=com
Classes: top domain domainDNS
SD: 496 bytes
Metadata: 04/15/1999 14:51:32 @ SPROCKET.microsoft.com ver: 4
Checking ACL inheritance ...
Parent: 2 - DC=microsoft,DC=com
Child: 1 - OU=Sales,DC=microsoft,DC=com
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=microsoft,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=microsoft,DC=com
SD for CN=Someone,OU=Sales,DC=microsoft,DC=com
SD Revision: 1
SD Control: 0x8c14
SE_DACL_PRESENT
SE_SACL_PRESENT
SE_DACL_AUTO_INHERITED
SE_SACL_AUTO_INHERITED
SE_SELF_RELATIVE
Owner: microsoft\Domain Admins S-1-5-21-640924683-4221571012-3872390550-512
Group: microsoft\Domain Users S-1-5-21-640924683-4221571012-3872390550-513
DACL:
Revision 4
Size: 944 bytes
# Aces: 24
Ace[0]
Ace Type: 0x1 - ACCESS_DENIED_ACE_TYPE
Ace Size: 36 bytes
Ace Flags: 0x0
Ace Mask: 0x000200bc
READ_CONTROL
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_LIST_OBJECT
Ace Sid: microsoft\Accounts Payable S-1-5-21-640924683-4221571012-3872390550-1130
Ace[1]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 24 bytes
Ace Flags: 0x0
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: BUILTIN\Account Operators S-1-5-32-548
Ace[2]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0x0
Ace Mask: 0x00020000
READ_CONTROL
Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[3]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 36 bytes
Ace Flags: 0x0
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: microsoft\Domain Admins S-1-5-21-640924683-4221571012-3872390550-512
Ace[4]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0x0
Ace Mask: 0x00020094
READ_CONTROL
ACTRL_DS_LIST
ACTRL_DS_READ_PROP
ACTRL_DS_LIST_OBJECT
Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[5]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0x0
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: NT AUTHORITY\SYSTEM S-1-5-18
Ace[6]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Public Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[7]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Web Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[8]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Personal Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[9]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - General Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[10]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr - userCertificate
Object Ace Sid: microsoft\Cert Publishers S-1-5-21-640924683-4221571012-3872390550-517
Ace[11]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Change Password
Object Ace Sid: Everyone S-1-1-0
Ace[12]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Logon Information
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[13]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Modify Group Membership
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[14]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Account Restrictions
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[15]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Modify Remote Access Information
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[16]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Web Information
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[17]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Phone and Mail Options
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[18]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Personal Information
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[19]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Receive As
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[20]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Send As
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[21]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Change Password
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[22]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 24 bytes
Ace Flags: 0x12
CONTAINER_INHERIT_ACE
INHERITED_ACE
Ace Mask: 0x000f01bd
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: BUILTIN\Administrators S-1-5-32-544
Ace[23]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 36 bytes
Ace Flags: 0x12
CONTAINER_INHERIT_ACE
INHERITED_ACE
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: microsoft\Enterprise Admins S-1-5-21-640924683-4221571012-3872390550-519
SACL:
Revision 2
Size: 52 bytes
# Aces: 2
Ace[0]
Ace Type: 0x2 - SYSTEM_AUDIT_ACE_TYPE
Ace Size: 24 bytes
Ace Flags: 0x82
CONTAINER_INHERIT_ACE
Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Ace Sid: BUILTIN\Administrators S-1-5-32-544
Ace[1]
Ace Type: 0x2 - SYSTEM_AUDIT_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0xd2
CONTAINER_INHERIT_ACE
INHERITED_ACE
Ace Mask: 0x000d016b
DELETE
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_SELF
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_CONTROL_ACCESS
Ace Sid: Everyone S-1-1-0
In this example, an inheritable ACL was added to the domain
object
c:\sdcheck sprocket someone@microsoft.com
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes: top person organizationalPerson user
SD: 1108 bytes
Metadata: 04/15/1999 14:59:08 @ SPROCKET.microsoft.com ver: 3
History: 04/15/1999 14:59:00 flags(0x1) SD propagation
04/15/1999 14:59:08 flags(0x1) SD propagation
04/15/1999 15:13:22 flags(0x1) SD propagation
Object: OU=Sales,DC=microsoft,DC=com
Classes: top organizationalUnit
SD: 460 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1
History: 04/15/1999 15:13:21 flags(0x1) SD propagation
Object: DC=microsoft,DC=com
Classes: top domain domainDNS
SD: 532 bytes
Metadata: 04/15/1999 15:13:21 @ SPROCKET.microsoft.com ver: 5
Checking ACL inheritance ...
Parent: 2 - DC=microsoft,DC=com
Child: 1 - OU=Sales,DC=microsoft,DC=com
*** Error: Parent ACE [0] specific Mask [0x4] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x8] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x10] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x20] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x80] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x20000] not found1 in child
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=microsoft,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=microsoft,DC=com
In this example, changes to the security descriptor were performed against the same object on a different domain controller. Note in the security metadata that the version number has been incremented and that the name of the domain controller which originated the updated security descriptor is different (in this example: wombat.microsoft.com).
c:\sdcheck sprocket someone@microsoft.com
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes: top person organizationalPerson user
SD: 1144 bytes
Metadata: 04/15/1999 17:26:52 @ WOMBAT.microsoft.com ver: 4
History: 04/15/1999 14:59:00 flags(0x1) SD propagation
04/15/1999 14:59:08 flags(0x1) SD propagation
04/15/1999 15:13:22 flags(0x1) SD propagation
Object: OU=Sales,DC=microsoft,DC=com
Classes: top organizationalUnit
SD: 460 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1
History: 04/15/1999 15:13:21 flags(0x1) SD propagation
Object: DC=microsoft,DC=com
Classes: top domain domainDNS
SD: 532 bytes
Metadata: 04/15/1999 15:13:21 @ SPROCKET.microsoft.com ver: 5
Checking ACL inheritance ...
Parent: 2 - DC=microsoft,DC=com
Child: 1 - OU=Sales,DC=microsoft,DC=com
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=microsoft,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=microsoft,DC=com