none
Convert default security descriptor of a schema class RRS feed

  • Question

  • Hi all,

    I want a method to convert the default security descriptor to the format ntsecuritydescriptor type is in.

    I am writing a script to make an inventory of all permissions on OU and containers. Since OU and containers is set with default set of permissions which are set by its defaultsecuritydescriptor, I want to filter out that from my output. But the output from the defaultsecuritydescriptor of the schema class is not in same type as ACL's access is I am struck here.

    From the Developer network I found:

    ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid;(resource_attribute)

    ace_type
    A: Access allowed
    D: Access denied

    rights
    LC: List children
    RP: Read property
    LO: List object
    RC: Read control
    RP: Read property
    WP: Write property
    CC: Create child
    DC: Delete child
    LC: List children
    LO: List object
    RC: Read control
    WO: Write owner
    WD: Write DAC
    SD: Standard delete
    DT: Delete tree
    SW: Self write
    CR: Control Access
    GA: generic all
    GR: generic read
    GW: generic write
    GX: generic execute

    I can do the text manupulation but that is not an efficient way to do it i know.

    Any ideas on how I can achieve it? I have searched on the internet but the knowledge about this is not available here.

    I'd be very grateful if anyone can give me leads.
    Thank you


    • Moved by Bill_Stewart Friday, July 7, 2017 6:36 PM Abandoned
    Tuesday, May 23, 2017 7:34 AM

All replies

  • An SD is a binary object.  It can be converted using the Net security classes to an SDDL string.

    This gets the SD in both forms:

    $sd = get-aduser jsmith -prop *|select -expand  ntsecuritydescriptor
    $binarysd = $sd.GetSecurityDescriptorBinaryForm()
    $sddl = $sd.GetSecurityDescriptorSddlForm('all')


    \_(ツ)_/

    Tuesday, May 23, 2017 5:52 PM
  • I have an SD in SDDL string and want to convert it to ntsecuritydescriptor from. Actually the other way around like you did.

    Thanks

    Wednesday, May 24, 2017 7:29 AM
  • This will convert SDDL to a full SD.

    $sd=[System.DirectoryServices.ActiveDirectorySecurity]::new()
    $sd.SetSecurityDescriptorSddlForm($sddl)


    \_(ツ)_/

    Wednesday, May 24, 2017 7:58 AM