ACL is an abbreviation of Access Control Lists, can be understood as "access control list", ACL is part of the Active Directory object security descriptor in windows2000 & NT system, each activity The security descriptors of the directory objects are composed of four parts: the creator of the object, the group to which the object belongs, the free access control, and the system access control. The free access control is actually attributed to the ACL, and the ACL is mainly to determine the permissions of the Active Directory object. The system access control is mainly to audit the permissions of the Active Directory object. Generally speaking, it is like the license management in the society: there is a department responsible for issuing licenses, and a department responsible for auditing licenses (permissions). Acldiag is a tool for how to diagnose and repair after some mechanism problems.
This is still a command line tool, the function is to diagnose the permissions of the Active Directory object. It reads the security attribute information from the "access control list" and writes it in a text file in an easy-to-understand format. These so-called security attribute information are: detailed permission description, user and group, etc., this text The file can also be used as an uploaded report.
The tasks you can do with Acldiag are:
1. In the default plan, compare the permissions defined by the ACL directory service object.
2. Check or maintain, use templates, and perform standard authorization.
3. For a given user or group, or for all users and all groups, get its (or their) valid permissions and display it in the ACL.
Use the AclDiag tool to display only the permissions and user rights of the object. Other information such as Group Policy cannot be displayed, mainly because Group Policy is a virtual object, and the name of the virtual object cannot be used by this tool.
Second, the syntax of AclDiag:
acldiag "ObjectDN" [/chkdeleg] [/fixdeleg] [/geteffective:{User |
Group}] [/schema] [/skip] [/tdo]
Parameters and Description:
ObjectDN
The correct name of the specified Active Directory object, in the command When using this parameter in a line, the Active Directory object name must use quotes.
/chkdeleg
Checking the security of delegates and authorizations for objects.
/fixdeleg
Delegate, detect or maintain all the commands that will be used with the Control Wizard Authorization of the object.
/geteffective:{user |
Group}
Print out the specified user or designated (work) group information about permissions in a readable format.
/schema
Checking if the objects in the default plan are safe.
/skip
Does not display (skip) security descriptors.
/tdo
When you need to save related data, write the information into the file in the form specified by the system or other "readable" format. In Windows 2000 or Windows NT, in order to unify standards and facilitate processing, Microsoft has specified a set of various information materials to fill in the style, the so-called "spread" (not what we usually say Exce).
Like verifying other tools, I actually executed acldiag/in the command line window? , get the help information of the program prompt, two comparisons found that the content of the help document document and the content of the prompt information is consistent. As for the results of each project, limited to time and conditions, no more in-depth research has been conducted. An example of a real diagnosis is presented in the help documentation: This example is to diagnose the access rights in all default plans in the microsoft.com domain. The commands and parameters are as follows:
C:>acldiag " DC=microsoft,DC=com" /schema
III. Interpretation of diagnostic output information
To determine the problem of the system, not only the diagnosis but also the information output by the diagnostic tool can be understood. meaning. For this tool, the key parts of the diagnostic information are as follows:
Still using the diagnosis described above as a template. Execute first:
acldiag "DC=microsoft,DC=com"
After the execution, the screen output is not only English, but also very long, so it is not convenient here. After reading it carefully, I feel that the main project has the following aspects:
1. List which system is diagnosed. It is equivalent to the name of the patient filled in by the doctor on the medical record.
2. Description of the object: Owner: {User |
Group}
3. Permissions: There are four types: Deny, Allow, User, Group (Group), only one of them
4. Inheritance of Permissions: Objects Permissions allow inheritance from their parent, or the permissions of the current object also allow their child objects to inherit, and the inherited permissions are also within the above four.
5. Permission review: This is the part we mentioned above. There are only two results of the audit of the license: success and failure. The review of the permissions also includes the inherited part.
6. Default Planning: If you still use the above diagnosis as a template, the default planning diagnostic command is: acldiag "DC=microsoft,DC=com" /schema
Three types: existing parts, non-existent, local.
7. Authorization template: The command form is: acldiag "DC=microsoft,DC=com" /chkdeleg
The output is as follows:
Status: {OK |
NOT PRESENT/MISCONFIGURED}
Whether the object is used: {YES |
NO}
Whether to inherit: {YES |
NO}
Only one of the states on either side of the vertical line can be selected.
8. Effective permissions: The command line is:
acldiag "DC=microsoft,DC=com" /geteffective:{User |
Group}
The output is as follows:
{User |
Group} 1: Can Read {All |
PropertyList} properties. (via Group membership) Can Write {All |
PropertyList} properties. (via Group membership) Can Create {All |
(List Group membership) Can Delete {All |
(via Group membership) Can Delete this object. (via Group membership) Can Delete entire subtree. (via Group membership) Can List subobjects. (via Group membership) Can Read permissions. (via Group membership) Can Modify permissions (via Group membership) Can Take/Change ownership. (via Group membership)
These are valid permission information, optional in braces, and only one of the states on either side of the vertical line. The attributes of the permission are: readable, writable, configurable, deleteable, can delete a specified object, delete the entire object, delete the child object, can list the child object, can read the permission, modify the license Permissions, access/change of ownership. The information in the brackets below refers to: Passing group membership (audit).
ASP provides powerful file system access capability, which can read, write, copy, delete, rename, et
In order to improve the management efficiency of the server system, network administrators often use
Remote Desktop is a cool feature in Windows Server 2003 that allows you to remotely log in to a mach
Installed Windows Server 2008 Beta3, sometimes the security is too high, which will make us ordinary
Make sure DNS security tips on Windows 2003 system domains
Group Policy Management for Windows 2000 LAN
Windows 2000 Active Directory Structure
Active Directory Domain Rename
About Domain and Active Directory Account Mode
Configuring Disk Quotas in Windows 2000
Windows Server 2003 uses Device Manager to configure devices
Using Win2K to establish a small LAN for shared Internet
Nine features of Windows Server 2008 that are ignored
Win 2008 Precision Password Policy and Account Lockout Strategy
After Win7 sets the desktop background, the slide does not switch
Pros and cons of three types of Windows 8 installation methods
Win10 system boot pop-up script error prompt how to solve?
A large number of Windows7 PC users refused to upgrade Windows10
What should I do if the Win7 local connection cannot be connected?
Apache opens URL rewriting function method
Win10 uses multiple desktop features to open multiple virtual desktop tutorials
Linux MyEclipse start Tomcat too slow how to do?
Win7 system running Windows Defender prompt error code 0X800106BA three solutions