Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6873: How to collect Security Descriptor Definition Language (SDDL)?

Authentication Service ,  

9 May,16 at 11:30 AM

Applies to: All versions of Centrify DirectControl on all platforms

Question:
How to collect Security Descriptor Definition Language (SDDL)?

Answer:
The SDDL will be helpful to troubleshoot the AD permission issue. ADEdit can be used to collect the SSDL for a problematic user. 

Take following environment as an example,
- Domain Name: domain.test
- Zone Name: Global
- Problematic User Name: test

Here are detailed steps:

1, Bind to domain with proper permission and select the zone. 

[root@RHEL64 ~]# adedit
>bind domain.test Administrator
Administrator@DOMAIN.TEST's password: 
>slz "CN=Global,CN=Zones,CN=Centrify,CN=Program Data,DC=domain,DC=test"

2, List out the zone users of currently selected zone.

>lszu
test@domain.test:test:1451229684:2147483648:%{u:displayName}:%{home}/%{user}:%{shell}:
...

3, Select the problematic zone user as current user.

>slzu {test@domain.test}

4, Retrieve the AD object based on the value of addn retrieved from the currently selected zone user and store the object in memory. 

>slo [gzuf addn]

5, Convert security descriptor (SD) in SDDL format retrieved from currently selected object to a human-readable form. 

>explain_sd [gof sd]
Owner: Domain Admins
Group: Domain Admins
Dacl: protected (no inheritance),inherit supported,
Allow |  | read property, | User-Account-Restrictions | inetOrgPerson | pre win2k
... ...

ADEdit Command Reference and Scripting Guide

Abbreviation and Command Syntax :

slz  = select_zone
lszu = list_zone_users
slzu = select_zone_user
slo  = select_object
gzuf = get_zone_user_field 
gof  = get_object_field

Related Articles

 articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part I articleCentrify 20.2 Release Notes article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part III article[How To] Enable Symantec VIP MFA for Centrify Server Suite on Linux Part II articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer?