Sdcheck Examples
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
SDCheck Examples
Example 1: Display the Summary Security Information for an Object
In this example, no changes have been applied to the user object (Someone), or the parent organization unit (Sales), since their initial creation. Note the metadata version number.
Type the following at the command line:
sdcheck sprocket someone@example.com
The following output appears:
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@example.com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Domain: example.com
Domain: DC=example,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on CN=Someone,OU=Sales,DC=example,DC=com
*** Warning: No values returned for dSCorePropagationData on OU=Sales,DC=example,DC=com
*** Warning: No values returned for dSCorePropagationData on DC=example,DC=com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Classes: top person organizationalPerson user
SD: 1012 bytes
Metadata: 04/15/1999 14:53:04 @ SPROCKET.example.com ver: 1
Object: OU=Sales,DC=example,DC=com
Classes: top organizationalUnit
SD: 424 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.example.com ver: 1
Object: DC=example,DC=com
Classes: top domain domainDNS
SD: 496 bytes
Metadata: 04/15/1999 14:51:32 @ SPROCKET.example.com ver: 4
Checking ACL inheritance ...
Parent: 2 - DC=example,DC=com
Child: 1 - OU=Sales,DC=example,DC=com
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=example,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=example,DC=com
Example 2: Display the Security Descriptor for an Object
In this example, two additional access control lists (ACLs) have been added. This can be identified by the version number increase for the security metadata. One ACL denies Read/Write access to members of the Accounts Payable group, and the other ACL audits Read/Write attempts by the Administrator.
Type the following at the command line:
sdcheck sprocket someone@example.com -dumpSD
Expand to see SDCheck output
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@example.com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Domain: example.com
Domain: DC=example,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on OU=Sales,DC=example,DC=com
*** Warning: No values returned for dSCorePropagationData on DC=example,DC=com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Classes: top person organizationalPerson user
SD: 1072 bytes
Metadata: 04/15/1999 14:59:08 @ SPROCKET.example.com ver: 3
History: 04/15/1999 14:59:00 flags(0x1) SD propagation
04/15/1999 14:59:08 flags(0x1) SD propagation
Object: OU=Sales,DC=example,DC=com
Classes: top organizationalUnit
SD: 424 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.example.com ver: 1
Object: DC=example,DC=com
Classes: top domain domainDNS
SD: 496 bytes
Metadata: 04/15/1999 14:51:32 @ SPROCKET.example.com ver: 4
Checking ACL inheritance ...
Parent: 2 - DC=example,DC=com
Child: 1 - OU=Sales,DC=example,DC=com
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=example,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=example,DC=com
SD for CN=Someone,OU=Sales,DC=example,DC=com
SD Revision: 1
SD Control: 0x8c14
SE_DACL_PRESENT
SE_SACL_PRESENT
SE_DACL_AUTO_INHERITED
SE_SACL_AUTO_INHERITED
SE_SELF_RELATIVE
Owner: microsoft\Domain Admins S-1-5-21-640924683-4221571012-3872390550-512
Group: microsoft\Domain Users S-1-5-21-640924683-4221571012-3872390550-513
DACL:
Revision 4
Size: 944 bytes
# Aces: 24
Ace[0]
Ace Type: 0x1 - ACCESS_DENIED_ACE_TYPE
Ace Size: 36 bytes
Ace Flags: 0x0
Ace Mask: 0x000200bc
READ_CONTROL
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_LIST_OBJECT
Ace Sid: microsoft\Accounts Payable S-1-5-21-640924683-4221571012-3872390550-1130
Ace[1]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 24 bytes
Ace Flags: 0x0
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: BUILTIN\Account Operators S-1-5-32-548
Ace[2]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0x0
Ace Mask: 0x00020000
READ_CONTROL
Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[3]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 36 bytes
Ace Flags: 0x0
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: microsoft\Domain Admins S-1-5-21-640924683-4221571012-3872390550-512
Ace[4]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0x0
Ace Mask: 0x00020094
READ_CONTROL
ACTRL_DS_LIST
ACTRL_DS_READ_PROP
ACTRL_DS_LIST_OBJECT
Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[5]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0x0
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: NT AUTHORITY\SYSTEM S-1-5-18
Ace[6]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Public Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[7]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Web Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[8]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Personal Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[9]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - General Information
Object Ace Sid: NT AUTHORITY\Authenticated Users S-1-5-11
Ace[10]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr - userCertificate
Object Ace Sid: microsoft\Cert Publishers S-1-5-21-640924683-4221571012-3872390550-517
Ace[11]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Change Password
Object Ace Sid: Everyone S-1-1-0
Ace[12]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Logon Information
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[13]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Modify Group Membership
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[14]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Account Restrictions
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[15]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 56 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000010
ACTRL_DS_READ_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Modify Remote Access Information
Object Ace Sid: microsoft\RAS and IAS Servers S-1-5-21-640924683-4221571012-3872390550-553
Ace[16]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Web Information
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[17]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Phone and Mail Options
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[18]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Attr set - Personal Information
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[19]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Receive As
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[20]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Send As
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[21]
Ace Type: 0x5 - ACCESS_ALLOWED_OBJECT_ACE_TYPE
Ace Size: 40 bytes
Ace Flags: 0x0
Object Ace Mask: 0x00000100
ACTRL_DS_CONTROL_ACCESS
Object Ace Flags: 0x1
ACE_OBJECT_TYPE_PRESENT
Object Ace Type: Control right - Change Password
Object Ace Sid: NT AUTHORITY\SELF S-1-5-10
Ace[22]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 24 bytes
Ace Flags: 0x12
CONTAINER_INHERIT_ACE
INHERITED_ACE
Ace Mask: 0x000f01bd
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: BUILTIN\Administrators S-1-5-32-544
Ace[23]
Ace Type: 0x0 - ACCESS_ALLOWED_ACE_TYPE
Ace Size: 36 bytes
Ace Flags: 0x12
CONTAINER_INHERIT_ACE
INHERITED_ACE
Ace Mask: 0x000f01ff
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_LIST
ACTRL_DS_SELF
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_LIST_OBJECT
ACTRL_DS_CONTROL_ACCESS
Ace Sid: microsoft\Enterprise Admins S-1-5-21-640924683-4221571012-3872390550-519
SACL:
Revision 2
Size: 52 bytes
# Aces: 2
Ace[0]
Ace Type: 0x2 - SYSTEM_AUDIT_ACE_TYPE
Ace Size: 24 bytes
Ace Flags: 0x82
CONTAINER_INHERIT_ACE
Ace Mask: 0x00000030
ACTRL_DS_READ_PROP
ACTRL_DS_WRITE_PROP
Ace Sid: BUILTIN\Administrators S-1-5-32-544
Ace[1]
Ace Type: 0x2 - SYSTEM_AUDIT_ACE_TYPE
Ace Size: 20 bytes
Ace Flags: 0xd2
CONTAINER_INHERIT_ACE
INHERITED_ACE
Ace Mask: 0x000d016b
DELETE
WRITE_DAC
WRITE_OWNER
ACTRL_DS_CREATE_CHILD
ACTRL_DS_DELETE_CHILD
ACTRL_DS_SELF
ACTRL_DS_WRITE_PROP
ACTRL_DS_DELETE_TREE
ACTRL_DS_CONTROL_ACCESS
Ace Sid: Everyone S-1-1-0
Example 3: Determine Whether the Security Descriptor is Being Inherited Correctly
In this example, an inheritable ACL was added to the domain object dc=microsoft,dc=com, denying Read and Write access to the members of the Finance group. Note that the metadata version number for the domain object dc=microsoft,dc=com has been incremented; however, the ACL has yet to propagate to the Sales object.
Type the following at the command line:
sdcheck sprocket someone@example.com
The following output appears:
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@example.com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Domain: example.com
Domain: DC=example,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on DC=example,DC=com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Classes: top person organizationalPerson user
SD: 1108 bytes
Metadata: 04/15/1999 14:59:08 @ SPROCKET.example.com ver: 3
History: 04/15/1999 14:59:00 flags(0x1) SD propagation
04/15/1999 14:59:08 flags(0x1) SD propagation
04/15/1999 15:13:22 flags(0x1) SD propagation
Object: OU=Sales,DC=example,DC=com
Classes: top organizationalUnit
SD: 460 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.example.com ver: 1
History: 04/15/1999 15:13:21 flags(0x1) SD propagation
Object: DC=example,DC=com
Classes: top domain domainDNS
SD: 532 bytes
Metadata: 04/15/1999 15:13:21 @ SPROCKET.example.com ver: 5
Checking ACL inheritance ...
Parent: 2 - DC=example,DC=com
Child: 1 - OU=Sales,DC=example,DC=com
*** Error: Parent ACE [0] specific Mask [0x4] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x8] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x10] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x20] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x80] not found1 in child
*** Error: Parent ACE [0] specific Mask [0x20000] not found1 in child
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=example,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=example,DC=com
Example 4: Determine Whether Changes to the Security Descriptor are Being Replicated from One Domain Controller to Another
In this example, changes to the security descriptor were performed against the same object on a different domain controller. Note in the security metadata that the version number has been incremented, and that the name of the domain controller that originated the updated security descriptor is different (in this example: wombat.example.com).
Type the following at the command line:
sdcheck sprocket someone@example.com
The following output appears:
Microsoft(R) Windows (R) 2000 Operating System
Security Descriptor Check Utility - build(2015)
Input: someone@example.com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Domain: example.com
Domain: DC=example,DC=com
Server: sprocket
*** Warning: No values returned for dSCorePropagationData on DC=example,DC=com
Object: CN=Someone,OU=Sales,DC=example,DC=com
Classes: top person organizationalPerson user
SD: 1144 bytes
Metadata: 04/15/1999 17:26:52 @ WOMBAT.example.com ver: 4
History: 04/15/1999 14:59:00 flags(0x1) SD propagation
04/15/1999 14:59:08 flags(0x1) SD propagation
04/15/1999 15:13:22 flags(0x1) SD propagation
Object: OU=Sales,DC=example,DC=com
Classes: top organizationalUnit
SD: 460 bytes
Metadata: 04/15/1999 14:54:13 @ SPROCKET.example.com ver: 1
History: 04/15/1999 15:13:21 flags(0x1) SD propagation
Object: DC=example,DC=com
Classes: top domain domainDNS
SD: 532 bytes
Metadata: 04/15/1999 15:13:21 @ SPROCKET.example.com ver: 5
Checking ACL inheritance ...
Parent: 2 - DC=example,DC=com
Child: 1 - OU=Sales,DC=example,DC=com
Checking ACL inheritance ...
Parent: 1 - OU=Sales,DC=example,DC=com
Child: 0 - CN=Someone,OU=Sales,DC=example,DC=com
See Also
Concepts
Sdcheck Overview
Sdcheck Remarks
Sdcheck Syntax
Alphabetical List of Tools
Xcacls Overview
Sidwkr.dll
Sidwalker Security Administration Tools
Sidwalk Overview
Showaccs Overview
Ktpass Overview
Ksetup Overview
Getsid Overview
Addiag.exe
Search Overview
Replmon Overview
Repadmin Overview
Movetree.exe
Ldp Overview
Dsastat Overview
Clonepr Overview
ADSI Edit (adsiedit.msc)
Acldiag Overview