This page provides the details on the various options that are available in Advanced Filter dialog of AD Permission Reporter and the flags that appear in the AD Permissions Browser (formally ACL Browser).
Security Descriptor Selection
| Option | Description |
|---|---|
| DACL | The Discretionary Access Control List (DACL) will be read from the nTSecurityDescriptor attribute |
| SACL | The System Access Control List (SACL) will be read from thenTSecurityDescriptor attribute. The user must have ACCESS_SYSTEM_SECURITY\SeSecurityPrivilege access right to be able to read the SACL. |
| Mailbox | Security Descriptor for the mailbox is read from the msExchMailboxSecurityDescriptor attribute of the object. |
| Schema | Security Descriptor of the Schema Classes is read from the DefaultSecurityDescriptor attribute. The Schema Context of the forest must be selected in the Context field on the main option. |
SD Control
| NetTools Label | Constants | Description |
|---|---|---|
| DACL Auto Inherit | SE_DACL_AUTO_INHERIT_REQ | Indicates a required security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. |
| DACL Auto Inherited | SE_DACL_AUTO_INHERITED | Indicates a security descriptor in which the discretionary access control list (DACL) is set up to support automatic propagation of inheritable access control entries (ACEs) to existing child objects. |
| DACL Defaulted | SE_DACL_DEFAULTED | Indicates a security descriptor with a default DACL. For example, if the creator an object does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL with respect to ACE inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set. |
| DACL Present | SE_DACL_PRESENT | Indicates a security descriptor that has a DACL. If this flag is not set, or if this flag is set and the DACL is NULL, the security descriptor allows full access to everyone. |
| DACL Protected | SE_DACL_PROTECTED | Prevents the DACL of the security descriptor from being modified by inheritable ACEs. To set this flag, use the SetSecurityDescriptorControl function. |
| Group Defaulted | SE_GROUP_DEFAULTED | Indicates that the security identifier (SID) of the security descriptor group was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose security descriptor group was set by a default mechanism. |
| Owner Defaulted | SE_OWNER_DEFAULTED | Indicates that the SID of the owner of the security descriptor was provided by a default mechanism. This flag can be used by a resource manager to identify objects whose owner was set by a default mechanism. |
| SACL Auto Inherit | SE_SACL_AUTO_INHERIT_REQ | Indicates a required security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. |
| SACL Auto Inherited | SE_SACL_AUTO_INHERITED | Indicates a security descriptor in which the system access control list (SACL) is set up to support automatic propagation of inheritable ACEs to existing child objects. |
| SACL Defaulted | SE_SACL_DEFAULTED | A default mechanism, rather than the original provider of the security descriptor, provided the SACL. This flag can affect how the system treats the SACL, with respect to ACE inheritance. |
| SACL Present | SE_SACL_PRESENT | Indicates a security descriptor that has a SACL. |
| SACL Protected | SE_SACL_PROTECTED | Prevents the SACL of the security descriptor from being modified by inheritable ACEs. |
| Resource Manager | SE_RM_CONTROL_VALID | Indicates that the resource manager control is valid. |
| Self Relative | SE_SELF_RELATIVE | Indicates a self-relative security descriptor. |
ACE Types
| NetTools Label | Constants | Description |
|---|---|---|
| Allow ACE | ACCESS_ALLOWED_ACE_TYPE | Access-allowed ACE that uses the ACCESS_ALLOWED_ACE |
| Allow Object ACE | ACCESS_ALLOWED_OBJECT_ACE_TYPE | Object-specific access-allowed ACE that uses the ACCESS_ALLOWED_OBJECT_ACE |
| Allow Callback ACE | ACCESS_ALLOWED_CALLBACK_ACE_TYPE | Access-allowed callback ACE that uses the ACCESS_ALLOWED_CALLBACK_ACE |
| Allow Callback Object ACE | ACCESS_ALLOWED_CALLBACK_OBJECT_ACE_TYPE | Object-specific access-allowed callback ACE that uses the ACCESS_ALLOWED_CALLBACK_OBJECT_ACE |
| Deny ACE | ACCESS_DENIED_ACE_TYPE | Access-denied ACE that uses the ACCESS_DENIED_ACE |
| Deny Object ACE | ACCESS_DENIED_OBJECT_ACE_TYPE | Object-specific access-denied ACE that uses the ACCESS_DENIED_OBJECT_ACE |
| Deny Callback ACE | ACCESS_DENIED_CALLBACK_ACE_TYPE | Access-denied callback ACE that uses the ACCESS_DENIED_CALLBACK_ACE |
| Deny Callback Object ACE | ACCESS_DENIED_CALLBACK_OBJECT_ACE_TYPE | Object-specific access-denied callback ACE that uses the ACCESS_DENIED_CALLBACK_OBJECT_ACE |
| System Audit ACE | SYSTEM_AUDIT_ACE_TYPE | System-audit ACE that uses the SYSTEM_AUDIT_ACE |
| System Audit Object ACE | SYSTEM_AUDIT_OBJECT_ACE_TYPE | Object-specific system-audit ACE that uses the SYSTEM_AUDIT_OBJECT_ACE |
| System Audit Callback ACE | SYSTEM_AUDIT_CALLBACK_ACE_TYPE | System-audit callback ACE that uses the SYSTEM_AUDIT_CALLBACK_ACE |
| System Audit Callback Object ACE | SYSTEM_AUDIT_CALLBACK_OBJECT_ACE_TYPE | Object-specific system-audit callback ACE that uses the SYSTEM_AUDIT_CALLBACK_OBJECT_ACE |
| System Alarm ACE | SYSTEM_ALARM_ACE_TYPE | Reserved for future use. |
| System Alarm Object ACE | SYSTEM_ALARM_OBJECT_ACE_TYPE | Reserved for future use. |
| System Alarm Callback ACE | SYSTEM_ALARM_CALLBACK_ACE_TYPE | Reserved for future use. |
| System Alarm Callback Object ACE | SYSTEM_ALARM_CALLBACK_OBJECT_ACE_TYPE | Reserved for future use. |
| Mandatory Label ACE | SYSTEM_MANDATORY_LABEL_ACE_TYPE | Mandatory label ACE that uses the SYSTEM_MANDATORY_LABEL_ACE |
| Resource Attribute ACE | SYSTEM_RESOURCE_ATTRIBUTE_ACE_TYPE | Resource attribute ACE that uses the SYSTEM_RESOURCE_ATTRIBUTE_ACE |
| Scope Policy ID ACE | SYSTEM_SCOPED_POLICY_ID_ACE_TYPE | A central policy ID ACE that uses the SYSTEM_SCOPED_POLICY_ID_ACE |
| Allow Compound ACE | ACCESS_ALLOWED_COMPOUND_ACE_TYPE | Reserved for future use. |
ACE Header Flags
| NetTools Label | Constants | Description |
|---|---|---|
| Container Inherit | CONTAINER_INHERIT_ACE | Child objects that are containers, such as directories, inherit the ACE as an effective ACE. The inherited ACE is inheritable unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set. |
| Inherit Only | INHERIT_ONLY_ACE | Indicates an inherit-only ACE, which does not control access to the object to which it is attached. If this flag is not set, the ACE is an effective ACE that controls access to the object to which it is attached.Both effective and inherit-only ACEs can be inherited depending on the state of the other inheritance flags. |
| Inherited | INHERITED_ACE | Used to indicate that the ACE was inherited. |
| No Propagate Inherit | NO_PROPAGATE_INHERIT_ACE | If the ACE is inherited by a child object, the system clears the OBJECT_INHERIT_ACE and CONTAINER_INHERIT_ACE flags in the inherited ACE. This prevents the ACE from being inherited by subsequent generations of objects. |
| Object Inherit | OBJECT_INHERIT_ACE | Noncontainer child objects inherit the ACE as an effective ACE. For child objects that are containers, the ACE is inherited as an inherit-only ACE unless the NO_PROPAGATE_INHERIT_ACE bit flag is also set. |
| Failed Access | FAILED_ACCESS_ACE_FLAG | Used with system-audit ACEs in a system access control list (SACL) to generate audit messages for failed access attempts. |
| Successful Access | SUCCESSFUL_ACCESS_ACE_FLAG | Used with system-audit ACEs in a SACL to generate audit messages for successful access attempts. |
Permissions
| NetTool Label | Constants | Description |
|---|---|---|
| Full Control | Consists of all the rights below. | |
| List Contents | ADS_RIGHT_ACTRL_DS_LIST | The right to list child objects of this object. |
| List Objects | ADS_RIGHT_DS_LIST_OBJECT | The right to list a particular object. If the user is not granted such a right, and the user does not have ADS_RIGHT_ACTRL_DS_LIST set on the object parent, the object is hidden from the user. |
| Delete | ADS_RIGHT_DELETE | The right to delete the object. |
| Delete subtree | ADS_RIGHT_DS_DELETE_TREE | The right to delete all child objects of this object, regardless of the permissions of the child objects. |
| Read Permissions | ADS_RIGHT_READ_CONTROL | The right to read data from the security descriptor of the object, not including the data in the SACL. |
| Write Permissions | ADS_RIGHT_WRITE_DAC | The right to modify the discretionary access-control list (DACL) in the object security descriptor. |
| Modify Owner | ADS_RIGHT_WRITE_OWNER | The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users. |
| Read Property | ADS_RIGHT_DS_READ_PROP | The right to read properties of the object of the selected attribute, if no attrtibute is selected, then it checks for read all properties. Selecting -None- means only Read All Properties will match. |
| Write Property | ADS_RIGHT_DS_WRITE_PROP | The right to write properties of the object of the selected attribute, if no attrtibute is selected, then it checks for write all properties. Selecting -None- means only Write All Properties will match. |
| Create child | ADS_RIGHT_DS_CREATE_CHILD | The right to create child objects of the selected object, if no object is selected, then it checks for create all child rights. Selecting -None- means only Create All Child will match. |
| Delete child | ADS_RIGHT_DS_DELETE_CHILD | The right to delete child objects of the selected object, if no object is selected, then it checks for delete all child rights. Selecting -None- means only Delete All Child will match. |
| Validated Rights | ADS_RIGHT_DS_SELF | The right to perform an operation controlled by a validated write access right for the selected right, if no right is selected it will check for all validated rights. Selecting -None- means only All Validated Rights will match. |
| Extended Rights | ADS_RIGHT_DS_CONTROL_ACCESS | The right to perform an operation controlled by an extended access right of the selected right, if no right is selected, then it will check for all extended rights. Selecting -None- means only All Extended Rights will match. |