Printout Header
LEX RSS Feed

LEX Online Manual Content

Editor for Microsoft SecurityDescriptor Attributes

This editor is used to show, edit or create Microsoft security descriptor attributes in an LDAP directory. Such attributes are used quite exclusively in Microsoft Active Direcory environments. The editor also appears if you use the menu option Edit - Permissions for an Active Directory object:

Editor for NTSecurity Descriptor attributes

In the top area of this dialog, you see the distinguished name and type icon for the object whose attribute your are editing. In the line beneath, the attribute name is shown.

To avoid confusion: There is a attribute syntax called String(NT-Sec-Desc) {MS}. We also call this here generally 'security descriptor', because it has nothing to do any more with Windows NT. On the other hand, the object ACL in an Active Director Environment is stored in an actual attribute which is named nTSecurityDesciptor also. This attribute has the syntax (guess what?) String(NT-Sec-Desc) {MS}.

The internal structure of an Microsoft Security Descriptor is very complex. It is described in the Microsoft Active Directory Technical Specification [MSADTS]. The value contained in String(NT-Sec-Desc) attribute represents an Microsoft Security Descriptor in binary form.

The Security Descriptor specifies the owner of an object and two different Access Control Lists: The System ACL (SACL) which controls the audit settings for this object, and the Discretionary ACL (DACL) which specify the access permissions. Therefore we have three different tabs in this attribute editor: Permission, Audit and Owner.

Even the Microsoft Dialog for the security settings of an Active Directory Object doesn't reflect the real situation in the security descriptor data. In most cases, the dialog shows a summary or an an aggregation of the actual ACL entries in the security descriptor. LEX, in contrast, tries to show all the separate entries just as they are present in the data, so that you have an overview of the real situation. On the other hand, LEX tries to present the very complex permission flags in easy-to-handle checkboxes - they are explained below.


The Permission Tab


This tab shows all the ACEs (Access Control Entries) in the Discretionary Access Control List (DACL) of the security descriptor. This list holds the information about the security trustees of the regarding object. Each ACE is represented by one line in the permission tab:

The Permissions tab in the NTSecurity descriptor editor

The list of the access control entries show a summary of each entry per line. The entries can be quite complex - if you want to access and configure the access control entries in detail, you have to double-click on an entry or use the Edit button to show the Access Control Entry editor. But you also can evaluate and access most of the permission settings right here in the list overview.

There are several columns shown in the ACEs list. You can sort the list according to the different columns by clicking on them.

  • Type: Grant or Deny. Please remember that in the world of Active Directory object permissions, a deny entry winds always over a colliding grant entry. If you want to change the entry's type, just click on the type label and choose Grant or Deny from the pulldown list:

    Quick choose of the grant/deny type


  • I: This is an indicator whether the entry is inherited from a parent container of the regarding object or not. Please note that you cannot edit inherited entries. If you want to change or delete inherited entries, the only way to do that is to deactivate the complete inheritance flag for the entire object. This is done by the Inherit permissions from parent objects option. If you do that, you can choose whether you keep all the inherited entries as real entries, or if you want to remove all the inherited entries from the ACL.


  • Name: The security principal object which has permission for the regarding object. LEX shows always a short friendly name here. If you stay with the mouse over an entry, the full distinguished name is shown in a pop-up information:

    The full path of an trustee entry

    Technically, there are SID (Security Identifier) of the regarding object in this list. Some of them are well-known SIDs which are representing generic user/groups like SYSTEM, ANONYMOUS or AUTHENTICATED USERS. The well-known SID entries are marked in brackets like this [Authenticated Users]. These SIDs can be displayed as well if you stay with the mouse pointer over such an entry for a second:

    The well-known SIDs

    If you want to set a new name in the regarding access control entry, you have to double-click on it or use the Edit button to show the Access Control Entry editor.


  • Scope: This is the scope of application for the regarding permission entry. There can be different scope types here, which depends on the permission flags which are currently set (see below for notes about these flags):

    • Attribute scope: If the permissions are related to attributes (Read Property / Write Property), this can be 'All Properties', or an single attribute name, or the name of a Active Directory property set. Property sets are defined in the Active Directory configuration partition and allows to give permissions for multiple attributes with only one single entry in the ACL. You can find the property set definitions in the AD configuration partition under the container Extended-Rights, if you search for objects with a validAccesses value of 48. You even could define your own property set. The bad thing is: An attribute can always be member in only one property set.
    • Object class scope: If the permission are related to objects (Create Child / Delete Child), then the scope can be 'All child objects', or the name of an object class is listed.
    • Extended permission scope: There are a lot of special permissions in an Active Directory which specifies an access to objects are infrastructure elements which can't be expressed with normal permissions. Normally these Active Directory extended rights controls the access to operations on AD objects - they are also called Control Access Rights. Examples for such extended permissions are 'Reset Password', 'Send As', 'Receive As', 'Reanimate Tombstone' and others. If the permission flag is set to 'Special', there could be scope of 'All extended rights' or the name of the extended right. You can find the list of extended rights in the AD configuration partition under the container Extended-Rights, if you search for objects with a validAccesses value of 256.
    • Validated writes: There are some special write permissions defined in Active Directory which controls the access to some of the own object's attribute or references to the own object. Such rights are called Validated Writes. An example is the 'Self-Membership' permission which allows an user to add himself to a group. If the permission flag is set to 'Special' and expresses a validated write, there could be scope of 'All validated writes' or the name of the extended right. You can find the list of validated writes in the AD configuration partition under the container Extended-Rights, if you search for objects with a validAccesses value of 8.
    • Delete permission: In case of some rights combinations which represent the permission to delete something (the D permission flag is set), the scope value defines this more in detail: If the scope value is empty or 'Object', which means that only the object can be deleted. Other scope values could be 'All child objects' (direct children), 'Entire subtree', 'Object and subtree' or 'Object and children'.


    Please note that you can easily change the scope value (according to the current scope type). Just click on the scope label directly in the regarding row and choose the new scope from the pulldown list:

    Choosing the permission scope


  • Permission Flags: These are check boxes where you can examine and set the most used variations of the actual technical permission flags. Please note that these are aggregations of the technical flags. In fact, there are 19 different flags which can be set and combined in one ACE entry - but there are not so much valid combinations of these, and these combinations can be expressed quick and easy with our check boxes here.

    • F: Full Permissions. The only permission which is not included in the Full permission is Read/Write Audit settings - if you want to configure that permission, you have to open the Access Control Entry editor. When you activate this checkbox, all other permissions checkboxes are set also, and the scope value is cleared.

    • R: Read Permissions: If no scope value is set, this means that all attributes and the permissions of the regarding object can be read, and the child objects of this object can be listed. This is the original 'Read' combination when set in the Microsoft Active Directory User and Computers tool. If you set a scope value, than only the read permissions for the specified attribute/property set is addressed.

    • W: Write Permissions: If no scope value is set, this means that all attributes and the permissions of the regarding object can be written, and all validated write permissions are addressed. The original 'Write' combination of the Microsoft Active Directory Users and Computers tool means that R and W is set, meaning the following internal permission flags are activated: Read/Write all Properties, List Children, List this Object, Read Permissions and Allow all Validated Writes.

    • L: List Permissions: If this checkbox is set, the List Children permission was set. Please note that when you have the R and W checkbox set, then this includes the List Children permission - without the L checkbox. This is because that R and W is the original 'Write' combination of the Microsoft Active Directory Users and Computers too

    • C: Create Permissions: This means that the internal permission flag Create Child is set. What child object class can be created is shown (or can be set) in the scope column.

    • D: Delete Permissions: This means that maybe the internal permission flag Delete Child set. What child object class can be deleted is shown (or can be set) in the scope column. Another possibility is that this could indicate some kind of generic Delete permission. The detailed information about what objects can be deleted is shown again in the scope column, for example 'Object', which means that only the object can be deleted. Other scope values could be 'All child objects' (direct child objects), 'Entire subtree', 'Object and subtree' or 'Object and children'.

    • S: Special Permissions: If you see this permission checkbox activated, this could be an internal combination of permission flags which cannot be expressed in the combination checkboxes. Or it could be an Extended Right or Validated Write Permission - which of them, is visible in the Scope column. There are a lot of special permissions in an Active Directory which specifies an access to objects are infrastructure elements which can't be expressed with normal permissions. Normally these Active Directory extended rights controls the access to operations on AD objects - they are also called Control Access Rights. Examples for such extended permissions are 'Reset Password', 'Send As', 'Receive As', 'Reanimate Tombstone' and others. If the permission flag is set to 'Special', there could be scope of 'All extended rights' or the name of the extended right. You can find the list of extended rights in the AD configuration partition under the container Extended-Rights, if you search for objects with a validAccesses value of 256.


    Please be aware of the fact that there are combinations of checkboxes which are NOT possible or not allowed to set in one single ACL line. An example: You cannot set the permission to read a certain attribute on the one hand and the permission to create a certain object class on the other hand in the sam access control entry. The reason for this is that only one scope specifier is allowed per ACE. For such cases, several different ACEs are necessary. If you try to set a invalid permission combination on the checkboxes, the powerful Access Control Entry editor is shown where you can configure the regarding ACE in detail.

  • Propagation: Object permissions can be inherited to child objects and subtrees in an Active Directory environment. This column determines the propagation configuration of the regarding access control entry to child objects. There are different types of propagation:

    • This object only: No propagation of the regarding permission on any child object.

    • This object and all child objects: Propagation of the entry to the entire subtree below the regarding object whose permissions we currently access.

    • This object and all child objects: The ACE permission settings are applied to the object itself and all direct child objects - not to objects in deeper subtree hierarchy levels.

    • Child objects only: The ACE permission settings are applied ONLY to the subtree, not to the object itself.

    • Direct child objects only: The ACE settings are applied ONLY to the direct child objects, not to the object itself and not to objects in deeper subtree hierarchy levels.

    • <Any object class>: The ACE permission settings are applied ONLY to the objects of the configured class in the subtree, not to the object itself.


    Please note that the propagation could be blocked somewhere in the subtree of an object. this inheritance block can be set in this tab also: Just deactivate the Inherit permissions from parent objects option. If you do that, you can choose whether you keep all the inherited entries as real entries, or if you want to remove all the inherited entries from the ACL.

    You can easily change the propagation value. Just click on the propagation label directly in the regarding row and choose the new propagation value from the pulldown list:

    Configuring the permission propgation


Filter for inherited entries


You can filter out the display of all permission entries of upper-level objects (such as OUs) which were inherited on the object. Under certain circumstances, a very large number of inherited permissions exist and the display the permissions may become cluttered and slow. So if you are primarily interested in the explicitly set permissions on objects, then you can use this filter. The filter is activated with a click on the button-field Hide interhited at the dialog bottom:

Configuring the permission propgation

 

So do not forget that with an active filter information there is information that is not currently displayed! The button flashes red in this case:

Configuring the permission propgation




The Audit Tab


The audit tab in the Microsoft NTSecurityDescriptor editor shows all the ACEs (Access Control Entries) in the System Access Control List (SACL) of the security descriptor. This list holds the information about the audit settings for the regarding object. Windows domain controllers can audit the access to the object according to the settings in the SACL, the audit log can be read in the local Security Log of the domain controllers. Remember that there is a global audit flag for Directory Access audit which has to be enabled first (through a GPO settings for the domain controllers).

Each ACE is represented by one line in the permission tab:

The Audit tab in the NTSecurity descriptor editor

The use of the buttons and the meaning of these lines are identical to the ones which were explained before in the Permissions tab. The only difference is in the first column. The type of the access control entry defines which access has to be audited by the system:

  • A Success audit always generate an log entry when the specified access permission was used according to this object.

  • A Failure audit causes an log entry whenever someone tried to use the specified access permissions, but had no permissions to do that.

  • A Success+Failure audit type causes a complete audit according to the specified access permissions.

The Owner Tab


This tab shows the Owner of the regarding object, plus the primary group ID of the owner. Normally the user which had created an object becomes it's owner.

The Audit tab in the NTSecurity descriptor editor

Attention: The owner of an object can always change the security descriptor (=> change the permissions), even if there is no explicit access control entry which specify this!

The owner is always a security Principal of the same Active Directory forest. The owner group is used very seldom by Active Directory mechanisms, it is borrowed from the concept of owner groups in the Unix/Posix world. You cannot set the owner group directly, 'cause this is always derived from the primaryGroupID attribute of the owner.

there is one special case according to object owners: If a member of the Domain Admin group is creating an object, the entire group becomes the owner (just like in Windows file system permissions).

You can change the owner with LEX if you want. The text box for the owner's name has the ability to quick-search objects when you enter names are parts of names which can be used to find them. When the Check Names button Check Names button is active, you just have to enter a string and LEX will automatically search for directory objects which match to this string. If more than one objects match to the search string, then an additional dialog lets you choose the object from a list.

DN edit with auto check names completed

The search for this objects is done with the same criteria as in the simple search function when you use the Directory Search dialog. If you chose the object from the list, or if you entered directly the full distinguished name of an object, then LEX realizes that the string in the text box is a real DN, it is underline to show that LEX matches this information internally. If the Check Names button is inactive, you can always try to resolve the string you entered into an objects DN by pressing F5.

If you want to see the distinguished name in the text box in a shorter, more readable form, you can activate the Show friendly object names button Friendly Names button. This is the same feature which is used also in the LEX main windows object list.

DN edit without friendly names

When you are in the mode where the distinguished names are displayed as short relative names, you can move your mouse over the regarding objects name: A popup text line will show you the complete distinguished name:

Full info for friendly names



Editing the raw security descriptor data


If you opened a security descriptor attribute with this editor dialog, you can also display and edit the underlying data in it's binary form if you want: Just press on the Raw label in the bottom left corner of the dialog. The editor is switched to an binary editor then:

Editing the raw security descriptor data


When will the Microsoft security descriptor editor will be used?


The security descriptor editor is used whenever LEX has valid schema information and detects one of the following official attribute syntaxes:

1.2.840.113556.1.4.907

String(NT-Sec-Desc) {Microsoft}

2.5.5.15

String(NT-Sec-Desc) {Microsoft}