The Microsoft Windows family of operating systems provides the ability to secure a variety of system objects such as files, directories, registry keys, mutexes etc. (commonly referred to as securable objects.) On the same note, Windows also provides the ability to protect objects in Active Directory, and these objects are protected by security descriptors.

Security Descriptor Components

A security descriptor is a data-structure that serves to protect these securable objects. It is used to specify pertinent security information such as who has what access to this object.

In particular, a security descriptor is comprised of four components –

Owner
Group
DACL
SACL

The Owner and the Group fields of a security descriptor specify the Security Identifier (SID) of the owner of the object and the primary group of the object.

The DACL is a set of access control entries (ACEs) that together specify who has what access on this object. In particular, each ACE allows or denies one or more technical permissions to a user or a group of users on the object.

The SACL is a set of ACEs that together specify which operations on this object should be audited. In particular, each ACE specifies the types of access attempts by a specified user or a group of users that cause the system to generate a record in the security event log.

What if you could instantly find out where all a user is granted permissions in Active Directory?

You can, with the Gold Finger Active Directory Reporting Tool Download your Free copy


<	About	Copyright ActiveDirSec.Com 2008 – 2010. All Rights Reserved	Disclaimer	>