Tuesday, April 12, 2016

Active Directory ACL's explained

In a previous post on decoding AD ACL's, I provided some code which took BSonPosh's get-adacl output and decoded the SID's and GUID's to help provide more readable output.  The example of this is below, however you may find some of the other fields to be a bit confusing.  So I created a few different types of test permissions on an OU to show how they are reflected in the Powershell output of these two commands.


Permission set in GUI: "Apply to: All Descendant objects, create/delete Conference Site objects"

ActiveDirectoryRights :  CreateChild, DeleteChild
InheritanceType       :     Descendents
ObjectType            :      msExchConferenceContainer
InheritedObjectType   :   00000000-0000-0000-0000-000000000000
ObjectFlags           :       ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :    TEST.LOCAL\Nathan
IsInherited           :        False
InheritanceFlags      :    ContainerInherit
PropagationFlags      :   InheritOnly

Permission set in GUI:  "Apply to: This object and all descendant objects, create/delete Contact objects"

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType       :    All
ObjectType            :     contact
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           :      ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :     TEST.LOCAL\Nathan
IsInherited           :        False
InheritanceFlags      :    ContainerInherit
PropagationFlags      :   None

Permission set in GUI:  "Apply to: This object only, create/delete Computer Objects"

ActiveDirectoryRights : CreateChild, DeleteChild
InheritanceType       :    None
ObjectType            :     computer
InheritedObjectType   : 00000000-0000-0000-0000-000000000000
ObjectFlags           :     ObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :    TEST.LOCAL\Nathan
IsInherited           :        False
InheritanceFlags      :    None
PropagationFlags      :  None

Permission set in GUI:   "Apply to: Descendent Computer objects, Modify Owner"

ActiveDirectoryRights : WriteOwner
InheritanceType       :    Descendents
ObjectType            :     00000000-0000-0000-0000-000000000000
InheritedObjectType   : computer
ObjectFlags           :      InheritedObjectAceTypePresent
AccessControlType     : Allow
IdentityReference     :    BHI-MASTER\adminlinlnat
IsInherited           :        False
InheritanceFlags      :    ContainerInherit
PropagationFlags      :  InheritOnly

InheritedObjectType:  Notice this will be all zero's when the permission is for creating a child object in a container.  When it is permissions being set on a specific type of child objects, then it will be set that that object type, and the ObjectType value will be all zero's.  When setting a permission on a specific property of a specific type of child object, you will get both fields filled in with the ObjectType being the specified property, and InheritedObjectType being the AD object's type.

PropagationFlags: InheritOnly exists when applying to something other than the current OU.  (https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.propagationflags(v=vs.110).aspx)

InheritenceFlags: ContainerInherit when applying to anything below the current level, ObjectInherit when applying to child objects (https://msdn.microsoft.com/en-us/library/system.security.accesscontrol.inheritanceflags(v=vs.110).aspx)

InheritanceType: All (everything from this level down), Descendents (children and descendants, not the current object), None (current level only)   (https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectorysecurityinheritance(v=vs.110).aspx)

2 comments:

  1. Hello,

    Thanks very much for posting this above information as this is an area I am learning at the moment. A couple of questions please.

    Reading the above, if I understand it correctly 'ObjectType' will 'only' every be filled in when the OjectType refers to a 'specific property' of an object, and 'not' and object class (schema-class) itself.

    I make this assumption based on text your wrote above e.g.

    "When setting a permission on a specific property of a specific type of child object, you will get both fields filled in with the ObjectType being the specified property"

    is my assumption above correct please?

    Thanks
    EB

    ReplyDelete
  2. Further to my last post (just now) taking an example from my LAB (newly installed 2012 R2 DC) with a Test OU and below this another OU called Test2. I looked at the rights on the Test OU and here is on example from that output

    IsInherited : True
    InheritedObjectType : 00000000-0000-0000-0000-000000000000
    ObjectType : 91e647de-d96f-4b70-9557-d63ff4f3ccd8
    IdentityReference : S-1-5-10
    NTAccount : NT AUTHORITY\SELF
    ActiveDirectoryRights : ReadProperty, WriteProperty, ExtendedRight
    PropagationFlags : None
    ObjectFlags : ObjectAceTypePresent
    InheritanceFlags : ContainerInherit
    AccessControlType : Allow
    InheritanceType : All

    So reading your post (thanks again for that), I infer the following

    InheritedObjectType : 00000000-0000-0000-0000-000000000000

    1) The above meaning this ACE not restricted to a specific 'type' of object (e.g. Computer, User etc.) when it comes to 'inheritance'

    InheritanceFlags : ContainerInherit

    2) This ACE will be inherited by 'container type' objects (e.g. OU) 'only' and not objects of other classes e.g. users, computers etc. other wise it would say ObjectInherit

    InheritanceType : All

    3) This means the ACE will be inherited by 'all' 'container type' objects (e.g. OU) below the current level and therefore by Test2 OU in the case of my LAB setup and any lower OUs

    PropagationFlags : None

    4) This means the ACE applied to the 'current OU' I am looking at, and due to the "InheritanceFlags : ContainerInherit" also OUs below the current OU, meaning PropagationFlags and InheritanceFlags need to be considered together

    Can you please clarify for me, if my assumptions above are correct so far? thanks

    Also can you please elaborate on the following and its meaning/options, thanks

    ObjectFlags : ObjectAceTypePresent




    ReplyDelete