Skip navigation
Menu
Security>Identity Management and Access Control

Q. What Active Directory objects have specified access control entries (ACEs)?

I have scripted DSPerms.bat to return the distinguished names of directory services objects that have access control entries (ACEs) that you specify.

DSPerms.bat uses DSQUERY from the Active Directory command-line tools to retrieve directory service objects, and Dsacls.exe to retrieve ACEs on the object.

The syntax for using DSPerms.bat is:

DSPerms StartNode objectClass "Search Terms1" \["Search Terms2" ... "Search TermsN"\]

Where:

StartNode       is the node where the search will start. It can be forestroot, domainroot,
                or an object distinguish name.
objectClass     is a filter to narrow the search. It can be * (no filtering), or any of the following Classes:
                                            
DS Object    <StartNode>    Class
Computer <StartNode> Computer
Contact <StartNode> contact
Subnet forestroot; subnet
Group <StartNode> group
OU <StartNode> organizationalUnit
Site forestroot site
Server forestroot server
User <StartNode> User
quota <StartNode> quota
partition forestroot    dMD
Search TermX are words from a 'fixed' Dsacls output, where 'fixed' refers to the altering of command control characters, and the progagation of previous line data into white space, so as to render the human readable output into computer readable output. If a section of the Dsacls output contained: Inherited to all subobjects Allow Everyone SPECIAL ACCESS <Inherited from parent> READ PERMISSONS LIST CONTENTS then, the 'fixed' output would contain: Inherited to all subobjects Allow Everyone SPECIAL ACCESS \{Inherited from parent\} Inherited to all subobjects Allow Everyone READ PERMISSONS \{Inherited from parent\} Inherited to all subobjects Allow Everyone LIST CONTENTS \{Inherited from parent\} Use ' marks within the double-quoted Search Term to combine words into phrases. A match requires that all words and phrases within the Search Term must be contained in the 'fixed' Dsacls output.

Sample Usage and Console Output:

dsperms "CN=Users,DC=JSIINC,DC=TST" user "'JSIINC\Domain Users' 'SPECIAL ACCESS' userAccountControl Inherited parent"

NOTE: Using user in objectClass filtered out group and contact, which are both in the Users container.

"CN=test,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are:          Allow JSIINC\Domain Users                          SPECIAL ACCESS for userAccountControl \{Inherited from parent\}
"CN=Guest,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are:          Allow JSIINC\Domain Users                          SPECIAL ACCESS for userAccountControl \{Inherited from parent\}
"CN=SUPPORT_388945a0,CN=Users,DC=JSIINC,DC=TST" Effective Permissions on this object are:          Allow JSIINC\Domain Users                          SPECIAL ACCESS for userAccountControl \{Inherited from parent\}
NOTE: DSPerms.bat supports multiple Search Terms, but using a single Search Terms is likely to run faster. DSPerms.bat is VERY resource intensive, and runs a VERY long time.
                    Constrain your search as much as practical, and consider running it during a weekend.

DSPerms.bat contains:


@echo off
if \{%3\}
\{\} @echo Syntax: DSPerms StartNode objectClass "Search Terms1" \["Search Terms2" ... "Search TermsN"\]&goto :EOF
setlocal ENABLEDELAYEDEXPANSION
@echo dim iString, oString, objArgument>"%TEMP%\DSPerms.VBS"
@echo Set objArgument = Wscript.Arguments>>"%TEMP%\DSPerms.VBS"
@echo iString = objArgument(0) >>"%TEMP%\DSPerms.VBS"
@echo oString = Replace(objArgument(0), ">"%TEMP%\DSPerms.VBS"
@echo oString = Replace(oString, ">", "\}")>>"%TEMP%\DSPerms.VBS"
@echo oString = Replace(oString, "&", "and")>>"%TEMP%\DSPerms.VBS"
@echo oString = Replace(oString, "(", "\[")>>"%TEMP%\DSPerms.VBS"
@echo oString = Replace(oString, ")", "\]")>>"%TEMP%\DSPerms.VBS"
@echo Wscript.echo "*:" ^& oString>>"%TEMP%\DSPerms.VBS"
set StartNode=%1
set class=%2
shift
shift
set /a cnt=0
set tab=
set blank=                                                             #
set OK=N
:ploop
if \{%1\}
\{\} goto pfin
set wrk1=%1
shift
set wrk1=%wrk1:"=% # # # # # # # # %blank:~0,50% %blank:~0,50% %blank:~0,50%  %blank:~0,50% #
set wrk2=%wrk1:~0,199%
set /a cnt=%cnt% + 1
set wrk2=%wrk2:'="%
call :numbparm %wrk2%
set tab=%tab%%np%%wrk2%
goto ploop
:numbparm
set /a np=0
:numbparm1
if \{%1\}==\{#\} goto :EOF
set /a np=%np% + 1
shift
goto numbparm1
:pfin
set hdr=
set who=
set perm=
set inherit=
set pwho=
set pperm=
set pinherit=
for /f "Tokens=*" %%a in ('dsquery * %StartNode% -filter "(&(objectClass=%class%))" -attr distinguishedName -L -limit 0') do (
 set dn="%%a"
 for /f "Tokens=* Delims=:" %%s in ('dsacls.exe "%%a"^|findstr /i /V /c:"The command completed successfully"') do (
  for /f "Tokens=1* Delims=:" %%y in ('cscript //NOLOGO "%TEMP%\DSPerms.VBS" "%%s"') do (
   set line=%%z %blank:~0,50% # # #
    call :doit
  )
 )
)
endlocal
del /q "%TEMP%\DSPerms.VBS"
goto :EOF
:doit
set who=%line:~0,50%
if "%who%" EQU "" set who=%blank:~0,50%
set who=%who:#=%
for /f "Tokens=1,2*" %%c in ('@echo %line:~50%') do (
 set prm=%%c %%d
 set inherit=%%e
 call :perm 
)
goto :EOF
:perm
if "%prm%" EQU "" perm1
if "%prm%" EQU "DELETE #" set prm=DELETE&goto perm2
set work=%prm:#=%
if "%work%" EQU "%prm%" goto perm2
:perm1
if /i "%who:~0,11%" EQU "Access list" goto :EOF
if /i "%who:~0,11%" EQU "Permissions" goto :EOF
if "%who:~0,10%" EQU "%blank:~0,10%" goto :EOF
set hdr=%who%
set who=
set prm=
set inherit=
set pwho=
set pprm=
set pinherit=
goto :EOF
:perm2
if "%who:~0,10%" EQU "%blank:~0,10%" set who=%pwho%
if "%inherit%" NEQ "" set inherit=%inherit:#=%
if "%inherit%" EQU "" set inherit=%pinherit%&goto perm3
if "%inherit:~0,1%" EQU " " set inherit=%pinherit%&goto perm3
:perm3
if "%OK%" EQU "Y" If %cnt% EQU 1 call :build2&goto perm4
set /a seq=0
for /l %%f in (1,1,%cnt%) do call :Build %%f
:perm4
set pwho=%who%
set pprm=%prm%
set pinherit=%inherit%
goto :EOF
:Build
set /a pos=%seq% * 200
call set /a np=%%tab:~%pos%^,1%%
set /a pos=%pos% + 1
call set wrk1=%%tab:~%pos%^,199%%
call :build1 %np% %wrk1%
set /a seq=%seq% + 1
goto :EOF
:build1
if "%OK%" EQU "Y" If %cnt% EQU 1 goto build2
shift
set p1=%1
set p1=%p1:"=%
set p2=%2
set p2=%p2:"=%
if "%p2%" EQU "#" set p2=%blank:~0,1%
set p3=%3
set p3=%p3:"=%
if "%p3%" EQU "#" set p3=%blank:~0,1%
set p4=%4
set p4=%p4:"=%
if "%p4%" EQU "#" set p4=%blank:~0,1%
set p5=%5
set p5=%p5:"=%
if "%p5%" EQU "#" set p5=%blank:~0,1%
set p6=%6
set p6=%p6:"=%
if "%p6%" EQU "#" set p6=%blank:~0,1%
set p7=%7
set p7=%p7:"=%
if "%p7%" EQU "#" set p7=%blank:~0,1%
set p8=%8
set p8=%p8:"=%
if "%p8%" EQU "#" set p8=%blank:~0,1%
set p9=%9
set p9=%p9:"=%
if "%p9%" EQU "#" set p9=%blank:~0,1%
set OK=Y
:build2
goto bld%np%
:bld1
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld2
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld3
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld4
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld5
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld6
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld7
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld8
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"^|findstr /I /L /C:"%p8%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)
goto :EOF
:bld9
for /f "Tokens=*" %%i in ('@echo %dn% %hdr% %who% %prm% %inherit%^|findstr /I /L /C:"%p1%"^|findstr /I /L /C:"%p2%"^|findstr /I /L /C:"%p3%"^|findstr /I /L /C:"%p4%"^|findstr /I /L /C:"%p5%"^|findstr /I /L /C:"%p6%"^|findstr /I /L /C:"%p7%"^|findstr /I /L /C:"%p8%"^|findstr /I /L /C:"%p9%"') do (
 @echo %dn% %hdr% %who% %prm% %inherit%
)


Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
Text caption presenting Password Cracking on a button on top of a keyboard
Using PowerShell for Brute-Force Password Cracking (Example Script)
Apr 17, 2024
padlock icon on an abstract background
Cisco Duo's Multifactor Authentication Service Breached
Apr 15, 2024
laptop with microsoft logo on the screen
U.S. Warns Agencies of Possible Breach via Microsoft Hack
Apr 11, 2024
3D padlock with glowing keyhole on top of abstract digital background
10 Essential Measures To Secure Access Credentials
Mar 26, 2024