Re: Detailed Listing of SACLs

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 09/09/04 

Date: Wed, 8 Sep 2004 19:55:59 -0700

I am not too sure just what it is that you are after.
If you run adsiedit.msc and drill into the properties of the
AD objects security, on the Audit tab in the advanced view
you will see exactly what is the SACL on any particular
AD object. In the default you will see that there is an
inherited SACL set at the domain object that audits pretty
much all success and failures for creates/writes/deletes
but not for reads and lists. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Derek" <dawdc21@hotmail.com> wrote in message
news:%23BmTuFhlEHA.3968@TK2MSFTNGP11.phx.gbl...
> Hello,
>
> I am trying to find a detailed document that describes each item in a
system
> access control list (SACL).  These are the ACL's on an AD object.  Here is
a
> clip from a Microsoft document that explains what I am looking for.
>
> Thank-you.
>
> The Audit directory service access setting determines whether to audit the
> event of a user accessing a Microsoft Active Directory object that has its
> own system access control list (SACL) specified. A SACL is list of users
and
> groups for which actions on an object are to be audited on a Microsoft
> Windows 2000-based network. If you define this policy setting, you can
> specify whether to audit successes, audit failures, or not audit the event
> type at all. Success audits generate an audit entry when a user
successfully
> accesses an Active Directory object that has a SACL specified. Failure
> audits generate an audit entry when a user unsuccessfully attempts to
access
> an Active Directory object that has a SACL specified. Enabling auditing of
> directory service access and configuring SACLs on directory objects can
> generate a large volume of entries in the security logs on domain
> controllers, you should only enable these settings if you actually intend
to
> use the information created.
> Note that you can set a SACL on an Active Directory object by using the
> Security tab in that object's Properties dialog box. This is analogous to
> Audit object access, except that it applies only to Active Directory
objects
> and not to file system and registry objects.
>
>

Relevant Pages

  • Re: Detailed Listing of SACLs
    ... on the Audit tab in the advanced view ... inherited SACL set at the domain object that audits pretty ... Security) ... > accesses an Active Directory object that has a SACL specified. ...
    (microsoft.public.windows.server.security)
  • Re: Detailed Listing of SACLs
    ... on the Audit tab in the advanced view ... inherited SACL set at the domain object that audits pretty ... Security) ... > accesses an Active Directory object that has a SACL specified. ...
    (microsoft.public.security)
  • Re: Detailed Listing of SACLs
    ... on the Audit tab in the advanced view ... inherited SACL set at the domain object that audits pretty ... Security) ... > accesses an Active Directory object that has a SACL specified. ...
    (microsoft.public.win2000.security)
  • Re: Detailed Listing of SACLs
    ... >>inherited SACL set at the domain object that audits pretty ... >>but not for reads and lists. ... >>>The Audit directory service access setting determines whether to audit ... >>>accesses an Active Directory object that has a SACL specified. ...
    (microsoft.public.win2000.active_directory)
  • Detailed Listing of SACLs
    ... I am trying to find a detailed document that describes each item in a system ... The Audit directory service access setting determines whether to audit the ... own system access control list (SACL) specified. ... accesses an Active Directory object that has a SACL specified. ...
    (microsoft.public.windows.server.security)