Active Directory Security dot com

Complete Coverage of Delegation, Security Audit & Compliance Reporting in Active Directory

Brought to you by former Microsoft Program Manager for Active Directory Security
REFERENCE GUIDANCE REPORTING
Reference | Top-20 D | Risks | FAQ Delegate | Verify | Assess | Audit | Report | Comply Reports Tools
Security Model
Security Descriptors
Security Groups
Security Permissions
Property Sets
Extended Rights
Validated Writes
Visibility Modes
SDDL
LDAP Filters
Deleted Objects
True Last Logon
Nested Group Memberships
Resultant Access




Gold Finger Mini

Active Directory Property Sets

An Active Directory Property Set refers to a group of related properties (attributes) for which access control can be collectively specified in a single ACE. The ability to collectively specify access on a related set of properties simplifies access specification and management.

There are a total of fifteen Active Directory Property Sets defined in the Windows Server Schemas –

  1. Domain-Password

  2. Email-Information

  3. General-Information

  4. Membership

  5. Personal-Information

  6. Public-Information

  7. RAS-Information

  8. User-Account-Restrictions

  9. User-Logon

  10. Web-Information

  11. DNS-Host-Name-Attributes (introduced in Windows Server 2003)

  12. Domain-Other-Parameters (introduced in Windows Server 2003)

  13. MS-TS-GatewayAccess (introduced in Windows Server 2008)

  14. Private-Information(introduced in Windows Server 2008)

  15. Terminal-Server-License-Server (introduced in Windows Server 2008)



Are you trying to find out where all a user or security group has permissions in AD, or what attributes belong to a property set?
You can, with Gold Finger from Paramount Defenses !
 		       Free Trial  


The following is the membership of these fifteen Active Directory property sets –

  1. Domain-Password – A collection of user account password and account lockout related properties that belong to the domain root object.

    Common Name –Domain Password
    Display Name –Domain Password & Lockout Policies
    Rights-GUID –c7407360-20bf-11d0-a768-00aa006e0529
    Applies To –Domain
    Domain-DNS
    -
    Members –Lock-Out-Observation-Window
    Lockout-Duration
    Lockout-Threshold
    Max-Pwd-Age
    Min-Pwd-Age
    Min-Pwd-Length
    Pwd-History-Length
    Pwd-Properties


  2. Email-Information – This property set was initially conceived with the idea of collecting a set of properties pertaining to a user's e-mail information, but it has no members.

    Common Name –Email–Information
    Display Name –Phone and Mail Options
    Rights-GUID –e45795b2-9455-11d1-aebd-0000f80367c1
    Applies To –User
    Group
    inetOrgPerson (Windows Server 2003)
    -
    Members –None





Are you trying to find out who has what access on a property set, or which email accounts are OWA enabled, or hidden from GAL?
You can, with Gold Finger from Paramount Defenses !
 		       Free Trial  


  1. General-Information – This property set is comprised of a collection of properties related to a user that constitute general user information.

    Common Name –General-Information
    Display Name –General Information
    Rights-GUID –59ba2f42-79a2-11d0-9020-00c04fc2d3cf
    Applies To –User
    inetOrgPerson (Windows Server 2003)
    -
    Members –Admin-Description
    Code-Page
    Country-Code
    Display-Name
    Object-Sid
    Primary-Group-ID
    SAM-Account-Name
    SAM-Account¬-Type
    SD-Rights-Effective
    Show-In-Advanced-View-Only
    SID-History
    uid
    User-Comment



  2. Membership – This property set consists of a pair of properties that are meant to specify group membership information related to a user. It may be noted however that one of these properties does not belong to objects of class user.

    Common Name –Membership
    Display Name –Group Membership
    Rights-GUID –bc0ac240-79a9-11d0-9020-00c04fc2d4cf
    Applies To –User
    inetOrgPerson (Windows Server 2003)
    -
    Members –Is-Member-Of-DL
    Member




Are you trying to identify nested group memberships in your AD. or determine nested group memberships, or enumerate groups?
You can, with Gold Finger from Paramount Defenses !
 		       Free Trial  


  1. Personal-Information – This property set is comprised of a collection of properties related to a user that constitute personal information.

    Common Name –Personal-Information
    Display Name –Personal Information
    Rights-GUID –77b5b886-944a-11d1-aebd-0000f80367c1
    Applies To –User
    Contact
    Computer
    inetOrgPerson (Windows Server 2003)
    -
    Members –Address
    Address-Home
    Assistant
    Comment
    Country-Name
    Facsimile-Telephone-Number
    International-ISDN-Number
    Locality-Name
    MSMQ-Digests
    MSMQ-Sign-Certificates
    Personal-Title
    Phone-Fax-Other
    Phone-Home¬-Other
    Phone-Home-Primary
    Phone-Ip-Other
    Phone-Ip-Primary
    Phone-ISDN-Primary
    Phone-Mobile-Other
    Phone-Mobile-Primary
    Phone-Office¬-Other
    Phone-Pager-Other
    Phone-Pager-Primary
    Physical-Delivery-Office-Name
    Picture
    Post-Office-Box
    Postal-Address
    Postal-Code
    Preferred-Delivery-Method
    Registered-Address
    State-Or-Province-Name
    Street-Address
    Telephone-Number
    Teletex-Terminal-Identifier
    Telex-Number
    Telex-Primary
    User-Cert
    User-Shared-Folder
    User-Shared-Folder-Other
    User-SMIME-Certificate
    X121-Address
    X509-Cert




Are you trying to find out who has write access to a property set, or who has what permissions in your Active Directory?
You can, with Gold Finger from Paramount Defenses !
 		       Free Trial  


  1. Public-Information – This property set is comprised of a collection of properties related to a user that constitute public information.

    Common Name –Public-Information
    Display Name –Public Information
    Rights-GUID –e48d0154-bcf8-11d1-8702-00c04fb96050
    Applies To –User
    Computer
    inetOrgPerson (Windows Server 2003)
    -
    Members –Additional-Information
    Allowed-Attributes
    Allowed¬-Attributes-Effective
    Allowed-Child-Classes
    Allowed-Child-Classes-Effective
    Alt-Security-Identities
    Common¬-Name
    Company
    Department
    Description
    Display-Name-Printable
    Division
    E-mail-Addresses
    Given-Name
    Initials
    Legacy-Exchange-DN
    Manager
    ms-DS-Allowed-To-Delegate-To
    ms-DS-Approx-Immed-Subordinates
    ms-DS-Auxiliary-Classes
    Obj-Dist-Name
    Object-Category
    Object-Class
    Object-Guid
    Organization-Name
    Organizational-Unit-Name
    Other-Mailbox
    Proxy-Addresses
    RDN
    Reports
    Service-Principal-Name
    Show-In-Address-Book
    Surname
    System-Flags
    Text-Country
    Title
    User-Principal-Name




Are you trying to find out who has what permissions in your AD, or who has dial-in RAS permissions in your Active Directory?
You can, with Gold Finger from Paramount Defenses !
 		       Free Trial  


  1. RAS-Information – This property set is comprised of a collection of properties related to a user's remote access preferences and settings.

    Common Name –RAS-Information
    Display Name –Remote Access Information
    Rights-GUID –037088f8-0ae1-11d2-b422-00a0c968f939
    Applies To –User
    inetOrgPerson (Windows Server 2003)
    -
    Members –msNPAllowDialin
    msNPCallingStationID
    msRADIUSCallbackNumber
    msRADIUSFramedIPAddress
    msRADIUSFramedRoute
    msRADIUSServiceType
    Token-Groups
    Token-Groups-Global-And-Universal
    Token-Groups-No-GC-Acceptable




  2. User-Account-Restrictions – This property set is comprised of a collection of properties related to specify account usage and password related restrictions associated with an account.

    Common Name –User-Account-Restrictions
    Display Name –User Account Restrictions
    Rights-GUID –4c164200-20c0-11d0-a768-00aa006e0529
    Applies To –User
    Computer
    inetOrgPerson (Windows Server 2003)
    -
    Members –Account-Expires
    ms-DS-User-Account-Control-Computed
    Pwd-Last-Set
    User-Account-Control
    User-Parameters



  3. User-Logon – This property set is comprised of a collection of properties associated with a user's logon settings.

    Common Name –User-Logon
    Display Name –User Logon
    Rights-GUID –5f202010-79a5-11d0-9020-00c04fc2d4cf
    Applies To –User
    inetOrgPerson (Windows Server 2003)
    -
    Members –Bad-Pwd-Count
    Home-Directory
    Home-Drive
    Last-Logoff
    Last-Logon
    Last-Logon-Timestamp
    Logon-Count
    Logon-Hours
    Logon-Workstation
    Profile-Path
    Script-Path
    User-Workstations




Are you trying to find out who can modify logon settings in Active Directory, or who recently logged on, or who has never logged on?
You can, with Gold Finger from Paramount Defenses !
 		       Free Trial  


  1. Web-Information – This property set is comprised of a collection of properties related to the user's web related information.

    Common Name –Web-Information
    Display Name –Web Information
    Rights-GUID –e45795b3-9455-11d1-aebd-0000f80367c1
    Applies To –User
    Contact
    inetOrgPerson (Windows Server 2003)
    -
    Members –WWW-Home-Page
    WWW-Page-Other



  2. DNS-Host-Name-Attributes – This property set is comprised of a collection of properties related to DNS associated with a computer.

    Common Name –DNS-Host-Name-Attributes
    Display Name –DNS Host Name Attributes
    Rights-GUID –72e39547-7b18-11d1-adef-00c04fd8d5cd
    Applies To –Computer
    -
    Members –DNS-Host-Name
    ms-DS-Additional-DNS-Host-Name



  3. Domain-Other-Parameters – This property set is comprised of a collection of properties associated with an Active Directory domain that are primarily used by the Security Accounts Manager (SAM).

    Common Name –Domain-Other-Parameters
    Display Name –Domain Other Parameters
    Rights-GUID –b8119fd0-04f6-4762-ab7a-4986c76b3f9a
    Applies To –Domain-DNS
    -
    Members –Domain-Replica
    Force-Logoff
    Modified-Count
    OEM-Information
    Server-Role
    Server-State
    UAS-Compat



  4. MS-TS-GatewayAccess – This property set was initially conceived with the idea of collecting a set of properties pertaining to a user's Microsoft Terminal Server settings, but it has no members.

    Common Name –MS-TS-GatewayAccess
    Display Name –MS-TS-GatewayAccess
    Rights-GUID –ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501
    Applies To –Computer
    -
    Members –None




Are you trying to find out who has RAS permissions, or who has elevated (Domain-admin) privileges in your Active Directory?
You can, with Gold Finger from Paramount Defenses !
 		       Free Trial  


  1. Private-Information – This property is comprised of a set of properties that are used by Microsoft Certificate Services and that facilitate the roaming of a user's private keys and certificates on domain joined computers.

    Common Name –Private-Information
    Display Name –Private Information
    Rights-GUID –91e647de-d96f-4b70-9557-d63ff4f3ccd8
    Applies To –User
    inetOrgPerson (Windows Server 2003)
    -
    Members –ms-PKI-RoamingTimeStamp
    ms-PKI-DPAPIMasterKeys
    ms-PKI-AccountCredentials



  2. Terminal-Server-License-Server – This property set is comprised of a set of properties pertaining to a user's Microsoft Terminal Server configuration settings.

    Common Name –Terminal-Server-License-Server
    Display Name –Terminal Server License Server
    Rights-GUID –5805bc62-bdc9-4428-a5e2-856a0f4c185e
    Applies To –User
    inetOrgPerson (Windows Server 2003)
    -
    Members –Terminal-Server
    MS-TS-ExpireDate
    MS-TS-LicenseVersion
    MS-TS-ManagingLS
Gold Finger - Microsoft-endorsed, Active Directory Resultant Access/Security Auditing/Reporting Tool
About Copyright ActiveDirSec.Com 2008 – 2011. All Rights Reserved Disclaimer
Active Directory Security Active Directory Reports Active Directory Reporting Tools Cyber Security and Global Security
Active Directory Audit Tool Active Directory Reporting Tool Active Directory Reporting Tools Active Directory Effective Permissions