Windows Tools

SDCheck Examples

Overview | Notes | Syntax | Examples | Related Tools Open Command Prompt

Example 1: Display the Summary Security Information for an Object

In this example, no changes have been applied to the user object (Someone), or the parent organization unit (Sales), since their initial creation. Note the metadata version number.

c:\sdcheck sprocket someone@microsoft.com

Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)

Input:  someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket

*** Warning: No values returned for dSCorePropagationData on CN=Someone,OU=Sales,DC=microsoft,DC=com
*** Warning: No values returned for dSCorePropagationData on OU=Sales,DC=microsoft,DC=com
*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com

Object:   CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes:  top person organizationalPerson user 
SD:	 1012 bytes
Metadata: 04/15/1999 14:53:04 @ SPROCKET.microsoft.com ver: 1

  Object:   OU=Sales,DC=microsoft,DC=com
  Classes:  top organizationalUnit 
  SD:	 424 bytes
  Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1

	Object:   DC=microsoft,DC=com
	Classes:  top domain domainDNS 
	SD:	 496 bytes
	Metadata: 04/15/1999 14:51:32 @ SPROCKET.microsoft.com ver: 4

Checking ACL inheritance ...
		Parent: 2 - DC=microsoft,DC=com
		Child:  1 - OU=Sales,DC=microsoft,DC=com

Checking ACL inheritance ...
		Parent: 1 - OU=Sales,DC=microsoft,DC=com
		Child:  0 - CN=Someone,OU=Sales,DC=microsoft,DC=com

Example 2: Display the Security Descriptor for an Object

Note that in this example, two additional access control lists (ACLs) have been added. This can be identified by the version number increase for the security metadata. One ACL denies read/write access to members of the Accounts Payable group, and the other ACL audits read/write attempts by the Administrator.

c:\sdcheck sprocket someone@microsoft.com -dumpSD

Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)

Input:  someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket

*** Warning: No values returned for dSCorePropagationData on OU=Sales,DC=microsoft,DC=com
*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com

Object:   CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes:  top person organizationalPerson user 
SD:	 1072 bytes
Metadata: 04/15/1999 14:59:08 @ SPROCKET.microsoft.com ver: 3
History:  04/15/1999 14:59:00 flags(0x1) SD propagation
		04/15/1999 14:59:08 flags(0x1) SD propagation

  Object:   OU=Sales,DC=microsoft,DC=com
  Classes:  top organizationalUnit 
  SD:	 424 bytes
  Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1

	Object:   DC=microsoft,DC=com
	Classes:  top domain domainDNS 
	SD:	 496 bytes
	Metadata: 04/15/1999 14:51:32 @ SPROCKET.microsoft.com ver: 4

Checking ACL inheritance ...
		Parent: 2 - DC=microsoft,DC=com
		Child:  1 - OU=Sales,DC=microsoft,DC=com

Checking ACL inheritance ...
		Parent: 1 - OU=Sales,DC=microsoft,DC=com
		Child:  0 - CN=Someone,OU=Sales,DC=microsoft,DC=com


SD for CN=Someone,OU=Sales,DC=microsoft,DC=com
SD Revision: 1
SD Control:  0x8c14
				SE_DACL_PRESENT
				SE_SACL_PRESENT
				SE_DACL_AUTO_INHERITED
				SE_SACL_AUTO_INHERITED
				SE_SELF_RELATIVE
Owner: microsoft\Domain Admins S-1-5-21-640924683-4221571012-3872390550-512
Group: microsoft\Domain Users S-1-5-21-640924683-4221571012-3872390550-513
DACL:
		Revision	4
		Size:		 944 bytes
		# Aces:	 24
		Ace[0]
				Ace Type:  0x1 - ACCESS_DENIED_ACE_TYPE
				Ace Size:  36 bytes
				Ace Flags: 0x0
				Ace Mask:  0x000200bc
						READ_CONTROL
						ACTRL_DS_LIST
						ACTRL_DS_SELF
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
						ACTRL_DS_LIST_OBJECT
				Ace Sid:   microsoft\Accounts Payable S-1-5-21-640924683-4221571012-3872390550-1130
		Ace[1]
				Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
				Ace Size:  24 bytes
				Ace Flags: 0x0
				Ace Mask:  0x000f01ff
						DELETE
						READ_CONTROL
						WRITE_DAC
						WRITE_OWNER
						ACTRL_DS_CREATE_CHILD
						ACTRL_DS_DELETE_CHILD
						ACTRL_DS_LIST
						ACTRL_DS_SELF
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
						ACTRL_DS_DELETE_TREE
						ACTRL_DS_LIST_OBJECT
						ACTRL_DS_CONTROL_ACCESS
				Ace Sid:   BUILTIN\Account Operators S-1-5-32-548
		Ace[2]
				Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
				Ace Size:  20 bytes
				Ace Flags: 0x0
				Ace Mask:  0x00020000
						READ_CONTROL
				Ace Sid:   NT AUTHORITY\Authenticated Users S-1-5-11
		Ace[3]
				Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
				Ace Size:  36 bytes
				Ace Flags: 0x0
				Ace Mask:  0x000f01ff
						DELETE
						READ_CONTROL
						WRITE_DAC
						WRITE_OWNER
						ACTRL_DS_CREATE_CHILD
						ACTRL_DS_DELETE_CHILD
						ACTRL_DS_LIST
						ACTRL_DS_SELF
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
						ACTRL_DS_DELETE_TREE
						ACTRL_DS_LIST_OBJECT
						ACTRL_DS_CONTROL_ACCESS
				Ace Sid:   microsoft\Domain Admins S-1-5-21-640924683-4221571012-3872390550-512
		Ace[4]
				Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
				Ace Size:  20 bytes
				Ace Flags: 0x0
				Ace Mask:  0x00020094
						READ_CONTROL
						ACTRL_DS_LIST
						ACTRL_DS_READ_PROP
						ACTRL_DS_LIST_OBJECT
				Ace Sid:   NT AUTHORITY\SELF S-1-5-10
		Ace[5]
				Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
				Ace Size:  20 bytes
				Ace Flags: 0x0
				Ace Mask:  0x000f01ff
						DELETE
						READ_CONTROL
						WRITE_DAC
						WRITE_OWNER
						ACTRL_DS_CREATE_CHILD
						ACTRL_DS_DELETE_CHILD
						ACTRL_DS_LIST
						ACTRL_DS_SELF
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
						ACTRL_DS_DELETE_TREE
						ACTRL_DS_LIST_OBJECT
						ACTRL_DS_CONTROL_ACCESS
				Ace Sid:   NT AUTHORITY\SYSTEM S-1-5-18
		Ace[6]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Public Information
				Object Ace Sid:   NT AUTHORITY\Authenticated Users S-1-5-11
		Ace[7]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Web Information
				Object Ace Sid:   NT AUTHORITY\Authenticated Users S-1-5-11
		Ace[8]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Personal Information
				Object Ace Sid:   NT AUTHORITY\Authenticated Users S-1-5-11
		Ace[9]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - General Information
				Object Ace Sid:   NT AUTHORITY\Authenticated Users S-1-5-11
		Ace[10]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  56 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000030
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr - userCertificate
				Object Ace Sid:   microsoft\Cert Publishers S-1-5-21-640924683-4221571012-3872390550-517
		Ace[11]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000100
						ACTRL_DS_CONTROL_ACCESS
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Control right - Change Password
				Object Ace Sid:   Everyone S-1-1-0
		Ace[12]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  56 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Logon Information
				Object Ace Sid:   microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
		Ace[13]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  56 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Control right - Modify Group Membership
				Object Ace Sid:   microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
		Ace[14]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  56 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Account Restrictions
				Object Ace Sid:   microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
		Ace[15]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  56 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000010
						ACTRL_DS_READ_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Modify Remote Access Information
				Object Ace Sid:   microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
		Ace[16]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000030
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Web Information
				Object Ace Sid:   NT AUTHORITY\SELF S-1-5-10
		Ace[17]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000030
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Control right - Phone and Mail Options
				Object Ace Sid:   NT AUTHORITY\SELF S-1-5-10
		Ace[18]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000030
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Attr set - Personal Information
				Object Ace Sid:   NT AUTHORITY\SELF S-1-5-10
		Ace[19]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000100
						ACTRL_DS_CONTROL_ACCESS
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Control right - Receive As
				Object Ace Sid:   NT AUTHORITY\SELF S-1-5-10
		Ace[20]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000100
						ACTRL_DS_CONTROL_ACCESS
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Control right - Send As
				Object Ace Sid:   NT AUTHORITY\SELF S-1-5-10
		Ace[21]
				Ace Type:  0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
				Ace Size:  40 bytes
				Ace Flags: 0x0
				Object Ace Mask:  0x00000100
						ACTRL_DS_CONTROL_ACCESS
				Object Ace Flags: 0x1
						ACE_OBJECT_TYPE_PRESENT
				Object Ace Type:  Control right - Change Password
				Object Ace Sid:   NT AUTHORITY\SELF S-1-5-10
		Ace[22]
				Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
				Ace Size:  24 bytes
				Ace Flags: 0x12
						CONTAINER_INHERIT_ACE
						INHERITED_ACE
				Ace Mask:  0x000f01bd
						DELETE
						READ_CONTROL
						WRITE_DAC
						WRITE_OWNER
						ACTRL_DS_CREATE_CHILD
						ACTRL_DS_LIST
						ACTRL_DS_SELF
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
						ACTRL_DS_LIST_OBJECT
						ACTRL_DS_CONTROL_ACCESS
				Ace Sid:   BUILTIN\Administrators S-1-5-32-544
		Ace[23]
				Ace Type:  0x0 - ACCESS_ALLOWED_ACE_TYPE
				Ace Size:  36 bytes
				Ace Flags: 0x12
						CONTAINER_INHERIT_ACE
						INHERITED_ACE
				Ace Mask:  0x000f01ff
						DELETE
						READ_CONTROL
						WRITE_DAC
						WRITE_OWNER
						ACTRL_DS_CREATE_CHILD
						ACTRL_DS_DELETE_CHILD
						ACTRL_DS_LIST
						ACTRL_DS_SELF
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
						ACTRL_DS_DELETE_TREE
						ACTRL_DS_LIST_OBJECT
						ACTRL_DS_CONTROL_ACCESS
				Ace Sid:   microsoft\Enterprise Admins S-1-5-21-640924683-4221571012-3872390550-519
SACL:
		Revision	2
		Size:		 52 bytes
		# Aces:	 2
		Ace[0]
				Ace Type:  0x2 - SYSTEM_AUDIT_ACE_TYPE
				Ace Size:  24 bytes
				Ace Flags: 0x82
						CONTAINER_INHERIT_ACE
				Ace Mask:  0x00000030
						ACTRL_DS_READ_PROP
						ACTRL_DS_WRITE_PROP
				Ace Sid:   BUILTIN\Administrators S-1-5-32-544
		Ace[1]
				Ace Type:  0x2 - SYSTEM_AUDIT_ACE_TYPE
				Ace Size:  20 bytes
				Ace Flags: 0xd2
						CONTAINER_INHERIT_ACE
						INHERITED_ACE
				Ace Mask:  0x000d016b
						DELETE
						WRITE_DAC
						WRITE_OWNER
						ACTRL_DS_CREATE_CHILD
						ACTRL_DS_DELETE_CHILD
						ACTRL_DS_SELF
						ACTRL_DS_WRITE_PROP
						ACTRL_DS_DELETE_TREE
						ACTRL_DS_CONTROL_ACCESS
				Ace Sid:   Everyone S-1-1-0

Example 3: Determine If the Security Descriptor is Being Inherited Correctly

In this example, an inheritable ACL was added to the domain object dc=microsoft,dc=com, denying read and write access to the members of the Finance group. Note that the metadata version number for the domain object dc=microsoft,dc=com has been incremented, however the ACL has yet to propagate to the Sales object.

c:\sdcheck sprocket someone@microsoft.com 

Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)

Input:  someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket

*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com

Object:   CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes:  top person organizationalPerson user 
SD:	 1108 bytes
Metadata: 04/15/1999 14:59:08 @ SPROCKET.microsoft.com ver: 3
History:  04/15/1999 14:59:00 flags(0x1) SD propagation
		04/15/1999 14:59:08 flags(0x1) SD propagation
		04/15/1999 15:13:22 flags(0x1) SD propagation

  Object:   OU=Sales,DC=microsoft,DC=com
  Classes:  top organizationalUnit 
  SD:	 460 bytes
  Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1
  History:  04/15/1999 15:13:21 flags(0x1) SD propagation

	Object:   DC=microsoft,DC=com
	Classes:  top domain domainDNS 
	SD:	 532 bytes
	Metadata: 04/15/1999 15:13:21 @ SPROCKET.microsoft.com ver: 5

Checking ACL inheritance ...
		Parent: 2 - DC=microsoft,DC=com
		Child:  1 - OU=Sales,DC=microsoft,DC=com
*** Error: Parent ACE [0] specific Mask [0x4] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x8] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x10] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x20] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x80] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x20000] not found1 in child


Checking ACL inheritance ...
		Parent: 1 - OU=Sales,DC=microsoft,DC=com
		Child:  0 - CN=Someone,OU=Sales,DC=microsoft,DC=com

Example 4: Determine If Changes to the Security Descriptor Are Being Replicated From One Domain Controller to Another

In this example, changes to the security descriptor were performed against the same object on a different domain controller. Note in the security metadata that the version number has been incremented and that the name of the domain controller which originated the updated security descriptor is different (in this example: wombat.microsoft.com).

c:\sdcheck sprocket someone@microsoft.com

Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)

Input:  someone@microsoft.com
Object: CN=Someone,OU=Sales,DC=microsoft,DC=com
Domain: microsoft.com
Domain: DC=microsoft,DC=com
Server: sprocket

*** Warning: No values returned for dSCorePropagationData on DC=microsoft,DC=com

Object:   CN=Someone,OU=Sales,DC=microsoft,DC=com
Classes:  top person organizationalPerson user 
SD:	 1144 bytes
Metadata: 04/15/1999 17:26:52 @ WOMBAT.microsoft.com ver: 4
History:  04/15/1999 14:59:00 flags(0x1) SD propagation
		04/15/1999 14:59:08 flags(0x1) SD propagation
		04/15/1999 15:13:22 flags(0x1) SD propagation

  Object:   OU=Sales,DC=microsoft,DC=com
  Classes:  top organizationalUnit 
  SD:	 460 bytes
  Metadata: 04/15/1999 14:54:13 @ SPROCKET.microsoft.com ver: 1
  History:  04/15/1999 15:13:21 flags(0x1) SD propagation

	Object:   DC=microsoft,DC=com
	Classes:  top domain domainDNS 
	SD:	 532 bytes
	Metadata: 04/15/1999 15:13:21 @ SPROCKET.microsoft.com ver: 5

Checking ACL inheritance ...
		Parent: 2 - DC=microsoft,DC=com
		Child:  1 - OU=Sales,DC=microsoft,DC=com

Checking ACL inheritance ...
		Parent: 1 - OU=Sales,DC=microsoft,DC=com
		Child:  0 - CN=Someone,OU=Sales,DC=microsoft,DC=com