Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-6873: How to collect Security Descriptor Definition Language (SDDL)?

Authentication Service ,  

9 May,16 at 11:30 AM

Applies to: All versions of Centrify DirectControl on all platforms

How to collect Security Descriptor Definition Language (SDDL)?

The SDDL will be helpful to troubleshoot the AD permission issue. ADEdit can be used to collect the SSDL for a problematic user. 

Take following environment as an example,
- Domain Name: domain.test
- Zone Name: Global
- Problematic User Name: test

Here are detailed steps:

1, Bind to domain with proper permission and select the zone. 

[root@RHEL64 ~]# adedit
>bind domain.test Administrator
Administrator@DOMAIN.TEST's password: 
>slz "CN=Global,CN=Zones,CN=Centrify,CN=Program Data,DC=domain,DC=test"

2, List out the zone users of currently selected zone.


3, Select the problematic zone user as current user.

>slzu {test@domain.test}

4, Retrieve the AD object based on the value of addn retrieved from the currently selected zone user and store the object in memory. 

>slo [gzuf addn]

5, Convert security descriptor (SD) in SDDL format retrieved from currently selected object to a human-readable form. 

>explain_sd [gof sd]
Owner: Domain Admins
Group: Domain Admins
Dacl: protected (no inheritance),inherit supported,
Allow |  | read property, | User-Account-Restrictions | inetOrgPerson | pre win2k
... ...

ADEdit Command Reference and Scripting Guide

Abbreviation and Command Syntax :

slz  = select_zone
lszu = list_zone_users
slzu = select_zone_user
slo  = select_object
gzuf = get_zone_user_field 
gof  = get_object_field