Printout Header
LEX RSS Feed

LEX Online Manual Content

Editor for Microsoft Security Descriptor Access Control Entries

This editor is used to show, edit or create access control entries (ACEs) in the Microsoft security descriptor attributes. It only appears if you were in the attribute editor for Microsoft security descriptor (NTSecurityDescriptor) attributes. If you use the Edit or New buttons there, this editor is shown:

Editor for Microsoft Access Control Entries

Please note that if you click on OK here, you just set the line ACE entry line in editor for Microsoft security descriptor (NTSecurityDescriptor) attributes. No data is written to the directory at this point - until you close the security descriptor editor with an OK.


Grant or Deny

 

This determines whether a permission is granted or denied. Please remember that in the world of Active Directory object permissions, a deny entry winds always over a colliding grant entry. If you want to change the entry's type, just click on the type label and choose Grant or Deny from the pulldown list.

If you are editing an entry from the System Access Control list (SACL), than you don't see the Grant/Deny choice here - instead there are settings for activating the audit for Success, Failure or Both:

Editor for Microsoft Access Control Entries


Access Mask

 

These values are readonly - the access mask reflects the value which is determined by the permission flags chosen on the right side of the dialog. For more flexibility, the current permission flag value is shown as a decimal and a hexadecimal value.




Set "READ" / Set "WRITE" / Set "FULL"

 

These buttons can configure the permissions exactly like it is set in the Microsoft standard dialog for setting object security:

Standard editor for object security

In fact, these settings are just combinations of the internal permission flags:

  • READ: Access mask 131220 (0x20094), this is a combination of
    • RP: DS_READ_PROP - Read attribute 'All Properties'
    • LC: DS_LIST - List children
    • LO: DS_LIST_OBJECT - List this object
    • RC: READ_CONTROL - Read Permissions
  • WRITE: Access mask 131260, (0x200BC), this is a combination of
    • RP: DS_READ_PROP - Read attribute 'All Properties'
    • WP: DS_WRITE_PROP - Write attribute 'All Properties'
    • LC: DS_LIST - List children
    • LO: DS_LIST_OBJECT - List this object
    • RC: READ_CONTROL - Read Permissions
    • VW: DS_SELF - Allow validated write 'All validated writes'
  • FULL: Access mask 983551, (0xF01FF), this is a combination of all permissions but
    • GR: GENERIC_READ - Read permission and properties, list content
    • GW: GENERIC_WRITE - Write permissions, properties and validated
    • GE: GENERIC_EXECUTE - Read permissions and list content
    • GA: GENERIC_ALL - Full content

The strange thing is that the standard combination FULL doesn't contain the GENERIC_ALL permission flag. This is because the GENERIC_xxx flags are designed for file system security descriptors and are very seldom used in Active Directory object security settings.


Trustee

 

The security principal object which has permission for the regarding object. Technically, there are SID (Security Identifier) of the regarding object used for the access control entry. Some of them are well-known SIDs which are representing generic user/groups like SYSTEM, ANONYMOUS or AUTHENTICATED USERS. The well-known SID entries are marked in brackets like this [Authenticated Users].

The Trustee text box can be used to enter a distinguished name directly - or you use the Browse button and choose an object from a object select browser.

The text box for the trustee's name has also the ability to quick-search objects when you enter names are parts of names which can be used to find them. When the Check Names button Check Names button is active, you just have to enter a string and LEX will automatically search for directory objects which match to this string. If more than one objects match to the search string, then an additional dialog lets you choose the object from a list:

DN edit with auto check names select list

The search for this objects is done with the same criteria as in the simple search function when you use the Directory Search dialog. If you chose the object from the list, or if you entered directly the full distinguished name of an object, then LEX realizes that the string in the text box is a real DN, it is underline to show that LEX matches this information internally. If the Check Names button is inactive, you can always try to resolve the string you entered into an objects DN by pressing F5.

If you want to see the distinguished name in the text box in a shorter, more readable form, you can activate the Show friendly object names button Friendly Names button. This is the same feature which is used also in the LEX main windows object list.

DN edit without friendly names

When you are in the mode where the distinguished names are displayed as short relative names, you can move your mouse over the regarding objects name: A popup text line will show you the complete distinguished name:

Full info for friendly names



Propagation

 

Object permissions can be inherited to child objects and subtrees in an Active Directory environment. This setting determines the propagation configuration of the regarding access control entry to child objects. There are different types of propagation:

  • This object only: No propagation of the regarding permission on any child object.

  • This object and all child objects: Propagation of the entry to the entire subtree below the regarding object whose permissions we currently access.

  • This object and all child objects: The ACE permission settings are applied to the object itself and all direct child objects - not to objects in deeper subtree hierarchy levels.

  • Child objects only: The ACE permission settings are applied ONLY to the subtree, not to the object itself. You can configure additionally the name of the object class - this means that only objects of the specified class inherit the permission entry.

  • Direct child objects only: The ACE settings are applied ONLY to the direct child objects, not to the object itself and not to objects in deeper subtree hierarchy levels. You can configure additionally the name of the object class - this means that only objects of the specified class inherit the permission entry.


Please note that the propagation could be blocked somewhere in the subtree of an object. this inheritance block can be set in this tab also: Just deactivate the Inherit permissions from parent objects option. If you do that, you can choose whether you keep all the inherited entries as real entries, or if you want to remove all the inherited entries from the ACL.




Single Permission Flags

 

These are all the permission flags which can be used to built up the access mask. Basically there are AD specific permission flags in this list, the last few GENERIC_xxx flags are designed for file system security descriptors and are very seldom used in Active Directory object security settings.

Please note that for each permission flag, a two-character abbreviation is shown which is exactly the abbreviation used in the according DSACL.EXE calls.

Tweet