Detailed Listing of SACLs

Discussion in 'Server Security' started by Derek, Sep 9, 2004.

  1. Derek

    Derek Guest


    I am trying to find a detailed document that describes each item in a system
    access control list (SACL). These are the ACL's on an AD object. Here is a
    clip from a Microsoft document that explains what I am looking for.


    The Audit directory service access setting determines whether to audit the
    event of a user accessing a Microsoft Active Directory object that has its
    own system access control list (SACL) specified. A SACL is list of users and
    groups for which actions on an object are to be audited on a Microsoft
    Windows 2000-based network. If you define this policy setting, you can
    specify whether to audit successes, audit failures, or not audit the event
    type at all. Success audits generate an audit entry when a user successfully
    accesses an Active Directory object that has a SACL specified. Failure
    audits generate an audit entry when a user unsuccessfully attempts to access
    an Active Directory object that has a SACL specified. Enabling auditing of
    directory service access and configuring SACLs on directory objects can
    generate a large volume of entries in the security logs on domain
    controllers, you should only enable these settings if you actually intend to
    use the information created.
    Note that you can set a SACL on an Active Directory object by using the
    Security tab in that object's Properties dialog box. This is analogous to
    Audit object access, except that it applies only to Active Directory objects
    and not to file system and registry objects.
    Derek, Sep 9, 2004
    1. Advertisements

  2. Derek

    Roger Abell Guest

    I am not too sure just what it is that you are after.
    If you run adsiedit.msc and drill into the properties of the
    AD objects security, on the Audit tab in the advanced view
    you will see exactly what is the SACL on any particular
    AD object. In the default you will see that there is an
    inherited SACL set at the domain object that audits pretty
    much all success and failures for creates/writes/deletes
    but not for reads and lists.
    Roger Abell, Sep 9, 2004
    1. Advertisements

  3. There won't be one as it is dependent on the schema of your AD. I.E. It depends
    on what objects can be created in your AD and under what other types of objects
    as to what would be displayed in the GUI.

    Joe Richards [MVP], Sep 11, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.