ACL is an abbreviation of Access Control Lists, which can be understood as an "access control list". ACL is a part of the Active Directory Object Security Descriptor in Windows 2000 & NT system, and a security description for each Active Directory object. The symbols are composed of four parts: the creator of the object, the group to which the object belongs, the free access control, and the system access control. The free access control is actually attributed to the ACL, and the ACL is mainly to determine the permissions of the Active Directory object. The system access control is mainly to audit the permissions of the Active Directory object. Generally speaking, it is like the license management in the society: there is a department responsible for issuing licenses, and a department responsible for auditing licenses (permissions). Acldiag is a tool for how to diagnose and repair after some mechanism problems.
This is still a command line tool, the function is to diagnose the permissions of the Active Directory object. It reads the security attribute information from the "access control list" and writes it in a text file in an easy-to-understand format. These so-called security attribute information are: detailed permission description, user and group, etc., this text The file can also be used as an uploaded report.
The tasks that can be done using Acldiag are:
1. In the default plan, compare the permissions defined by the ACL directory service object.
2. Check or maintain, use the template, perform standard authorization.
3. For a specified user or group, or for all users and all groups, get its (or their) valid permissions, and display it in the ACL.
Use the AclDiag tool to display only the permissions and user rights of the object. Other information such as Group Policy cannot be displayed, mainly because Group Policy is a virtual object, and the name of the virtual object cannot be used by this tool.
Second, the syntax of AclDiag:
acldiag "ObjectDN" [/chkdeleg] [/fixdeleg] [/geteffective:{User |
Group}] [/schema] [/skip] [/tdo]
Parameters and Description:
ObjectDN
The correct name of the specified Active Directory object, when using this parameter on the command line , Active Directory object names must use quotes.
/chkdeleg
Check the security of the delegate and authorization of the object.
/fixdeleg
Use the control wizard to delegate, detect or maintain the authorization of all objects to be used.
/geteffective:{user |
Group}
Print out the specified user or designated (work) group information about permissions in a readable format.
/schema
Check if the objects in the default plan are safe.
/skip
Do not display (skip) security descriptors.
/tdo
When you need to save related data, write the information into the file in the form specified by the system or other "readable" format. In Windows 2000 or Windows NT, in order to unify standards and facilitate processing, Microsoft has specified a set of various information materials to fill in the style, the so-called "spread" (not what we usually say Exce).
Like verifying other tools, I actually executed acldiag/in the command line window? , get the help information of the program prompt, two comparisons found that the content of the help document document and the content of the prompt information is consistent. As for the results of each project, limited to time and conditions, no more in-depth research has been conducted. An example of a real diagnosis is presented in the help documentation: This example is to diagnose the access rights in all default plans in the microsoft.com domain. The commands and parameters are as follows:
C:>acldiag "DC =microsoft,DC=com" /schema
III. Interpretation of Diagnostic Output Information
To determine the problem of the system, not only to diagnose, but also to understand the meaning of the information output by the diagnostic tool. For this tool, the key part of the diagnostic information is as follows:
Still using the diagnosis described above as a template. Execute first:
acldiag "DC=microsoft,DC=com"
After the execution, the screen output is not only English, but also very long, so it is not convenient here. After reading it carefully, I feel that the main items have the following aspects:
1. List which system is diagnosed. It is equivalent to the name of the patient filled in by the doctor on the medical record.
2. Description of the object: Owner: {User |
Group}
3. Permissions: There are four types: Deny, Allow, User, Group (Group), only one of them
4. Inheritance of Permissions: Objects Permissions allow inheritance from their parent, or the permissions of the current object also allow their child objects to inherit, and the inherited permissions are also within the above four.
5. Permission review: This is the part we mentioned above. There are only two results of the audit of the license: success and failure. The review of the permissions also includes the inherited part.
6. Default planning: If you still use the above diagnosis as a template, the default planning diagnostic command is: acldiag "DC=microsoft,DC=com" /schema
The results are divided into three types: There are parts, no parts, and parts.
7. Authorization template: The command form is: acldiag "DC=microsoft,DC=com" /chkdeleg
The output is as follows:
Status: {OK |
NOT PRESENT/MISCONFIGURED}
Whether the object is used: {YES |
NO}
Whether to inherit: {YES |
NO}
Only one of the states on either side of the vertical line can be selected.
8. Effective permissions: The command line is:
acldiag "DC=microsoft,DC=com" /geteffective:{User |
Group}
The output is as follows:
{User |
Group} 1:
Can Read {All |
PropertyList} properties. (via Group membership)
Can Write {All |
PropertyList} properties. (via Group membership)
Can Create {All |
ObjectList} objects. (via Group membership)
Can Delete {All |
(via Group membership)
Can Delete this object. (via Group membership)
Can Delete entire subtree. (via Group membership)
Can List subobjects. (via Group membership)
Can Read permissions. (via Group membership)
Can Modify permissions. (via Group membership)
Can Take/Change ownership. (via Group membership)
These are valid permission information, in braces It is optional, and only one of the states on both sides of the vertical line can be selected. The attributes of the permission are: readable, writable, configurable, deleteable, can delete a specified object, delete the entire object, delete the child object, can list the child object, can read the permission, modify the license Permissions, access/change of ownership. The information in the brackets below refers to: Passing group membership (audit).
Under Windows 2000 Server, users can also complete the task of setting up a task. The definition of
Microsoft impressed the supercomputing community last week when a beta of its new Windows High Perfo
A font is a set of characters with a uniform style. Its glyph features include style and depth, wher
Compared with the previous Windows, Win2K/XP user interface has made many improvements, greatly faci
How to use the most recent correct configuration to start the computer
Security Configuration Windows2000 Server
ADSL sharing under the 2003+XP platform
Use the "Start" tab to find out the problems
Windows 2000 operating system shared Internet Raiders
Windows2000/XP/2003 system defaults to share off
Win 2003 switch machine optimization skills
How to install and use IE7.0 in Windows 2003
Win2k "secret weapon" DNS tool (1)
Windows Server 2003 Group Policy Troubleshooting Six Methods
How to open CR2 file under win7 system?
Apple laptop installed Win7 system often crashes solution
Wait for the user to enter the
What are the hardware configuration requirements for installing Windows 7?
How to check the system installation time of Win10
Let Windows 7 time display be more accurate