SDProp

The SDProp option provides the ability to report which accounts are protected by the SDProp\AdminSDHolder process.  It will show which group or group inheritance has resulted in the user account being included and which accounts have been orphaned by the process.  Some details on the process can be found here and  here.

NetTools will display the user objects that have the AdminCount set to 1 and associated group memberships that triggered the user to be covered by the process.  This option also provides the ability to reset user accounts, by enabling ACL inheritance and clearing the AdminCount attribute.  To use this option, the Reset AdminCount & ACL Inheritance must be selected and then clicking Go again.

SDProp

One of the issues with the SDProp process is once a user is removed from a protected group the SDProp process doesn't re-enable SD inheritance and as such the account is orphaned.  In the screenshot above is shows two users user1 and user2, this shows that User1 is a member of Domain Admins and Administrators, and as such the account will have the AdminSDHolder permissions enforced when the SDProp process is run, User2 on the other hand is not a member of any protected groups and is now orphaned.

While it's possible to reset the permissions, there is currently no option to trigger the SDProp Process, so the correct permissions will only be re-applied to the required user accounts when the SDProp next runs, which could be as long as 60 minutes.  Below is a LDAP Search favorite Update Query that will trigger the SDProp process if run against the PDC of the domain using the RunProtectAdminGroupsTask RootDSE Modify Operation.  The details are here

[Trigger SDProp]
Options=880098929149517
Server=
BaseDN=NULL
Filter=(objectclass=*)
Attributes=RunProtectAdminGroupsTask==1
DisplayFilter=
Filename=
Sort=
Authentication=1158
Separator=,

 

ACL Browser

ACL Browser provides a quick and simple method to browse the permissions that are assigned to objects in the directory.  The ACL Browser is split into three sections:

Search Context

Browser - This section provides the method to navigate the directory, clicking on an items in this pane will display the assigned permissions to that item. The Display OU and Containers options limits the displayed items to just these items, by deselecting this option the browser pane will display all the objects in the OU and containers.

ACE List - This pane lists the ACEs that have been assigned to the selected items, by default the Object Security tab is displayed showing the Discretionary Access Control List (DACL), however, depending on the item selected, the Mailbox, and Schema permissions will also be displayed.  For SACL to be displayed the Include SACL option must be selected, for these to be displayed Domain Admin rights are required.  If the Display SIDs option is selected an extra column is displayed with the SID of the trustee.

ACE - This pane displays the Access Control Entry based on the item selected in the ACE List pane.  The list of permissions is dynamic based on the item selected, but the standard full/read/write/create/delete permissions are displayed for all items.  When the Show ACL\ACE flags options is selected the ACE view will display the raw ACL and ACE flags associated to the selected item in the ACE List pane, rather than the graphical view. When an Object Specific ACE is selected the name of the object type which the permissions are associated to is displayed above the ACE pane.  In the example below the object type is User.

ACE Object

Clear Local Cache - ACL Browser uses a local cache for extended permission GUIDs and SIDs.  As the results are retrieved from the server they are cached to improve the performance when viewing permissions.  When changing to a new location and Refresh pressed, if the forest\domain is the same then the cache is maintained, if the forest\domain is changed, the cache is purged, the cache will also be cleared if the Clear Local Cache option is selected.  This cache is shared with the GPO Explorer security tab.

Trustee Mode - ACL Browser has a Trustee mode, which allows a trustee (user\group\computer etc.) to be selected and then the icons in the ACE List pane will have a green dot to indicate that the corresponding ACE applies to the selected trustee.  These are the users effective rights for the selected trustee.

To Select the Trustee click on the Trustee button and the Trustee Information dialog will be displayed, this dialog shows the select trustee and the constructed access token is displayed.  To select the trustee click on the Select button.

Trustee Info

The Select Trustee dialog, allows you to specify the trustee and the connection method for the trustee, is used to construct the trustee's Access Token.

Select Trustee