An ADReport Sample Report - ACLs (only part of the lines are shown)

Back to ADReport Site

ObjectACE#TrusteeAccessMask (hex)Permissions (AccessMask Interpreted)AceFlags (hex)AF / InheritAF / Inherit, No PropagateAF / Inherit OnlyAF / InheritedAceType (hex)AceType InterpretedFlagsFlags / OT PresentFlags / IOT PresentObjectTypeOT InterprInherited ObjectTypeIOT Interpr
DC=sanao,DC=comACE 1BUILTIN\AdministratorsF01BDFull Control except Delete Child(s) and Delete Subtree2Yes   0Allow0  
DC=sanao,DC=comACE 2NT AUTHORITY\Authenticated Users20094Read (incl. List Obj.)0    0Allow0  
DC=sanao,DC=comACE 3SANAO\Domain AdminsE01BDCreate Child(s), List Contents, Validated Write(s), Read Prop(s), Write Prop(s), List Object, Extended Right(s), Read Permissions, Modify Permissions, Modify Owner0    0Allow0  
DC=sanao,DC=comACE 4SANAO\Enterprise AdminsF01FFFull Control2Yes   0Allow0  
DC=sanao,DC=comACE 5NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS20094Read (incl. List Obj.)0    0Allow0  
DC=sanao,DC=comACE 6Everyone10Read Prop(s)0    0Allow0  
DC=sanao,DC=comACE 7SANAO\Exchange Enterprise Servers4List Contents2Yes   0Allow0  
DC=sanao,DC=comACE 8SANAO\Exchange Enterprise Servers20000Read Permissions0    0Allow0  
DC=sanao,DC=comACE 9BUILTIN\Pre-Windows 2000 Compatible Access4List Contents2Yes   0Allow0  
DC=sanao,DC=comACE 10BUILTIN\Pre-Windows 2000 Compatible Access20010Read Prop(s), Read Permissions0    0Allow0  
DC=sanao,DC=comACE 11NT AUTHORITY\SYSTEMF01FFFull Control0    0Allow0  
DC=sanao,DC=comACE 12BUILTIN\Administrators100Extended Right(s)0    5Allow (Object)1Yes {1131F6AA-9C07-11D1-F79F-00C04FC2DCD2}Replicating Directory Changes
DC=sanao,DC=comACE 13BUILTIN\Administrators100Extended Right(s)0    5Allow (Object)1Yes {1131F6AB-9C07-11D1-F79F-00C04FC2DCD2}Replication Synchronization
DC=sanao,DC=comACE 14BUILTIN\Administrators100Extended Right(s)0    5Allow (Object)1Yes {1131F6AC-9C07-11D1-F79F-00C04FC2DCD2}Manage Replication Topology
DC=sanao,DC=comACE 15BUILTIN\Administrators100Extended Right(s)0    5Allow (Object)1Yes {1131F6AD-9C07-11D1-F79F-00C04FC2DCD2}Replicating Directory Changes All
DC=sanao,DC=comACE 16NT AUTHORITY\Authenticated Users100Extended Right(s)0    5Allow (Object)1Yes {280F369C-67C7-438E-AE98-1D46F3C6F541}Update Password Not Required Bit
DC=sanao,DC=comACE 17NT AUTHORITY\Authenticated Users100Extended Right(s)0    5Allow (Object)1Yes {CCC2DC7D-A6AD-4A7A-8846-C04E3CC53501}MS-TS-GatewayAccess
DC=sanao,DC=comACE 18NT AUTHORITY\Authenticated Users100Extended Right(s)0    5Allow (Object)1Yes {05C74C5E-4DEB-43B4-BD9F-86664C2A7FD5}Enable Per User Reversibly Encrypted Password
DC=sanao,DC=comACE 19SANAO\Domain Controllers100Extended Right(s)0    5Allow (Object)1Yes {1131F6AD-9C07-11D1-F79F-00C04FC2DCD2}Replicating Directory Changes All
DC=sanao,DC=comACE 20NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS100Extended Right(s)0    5Allow (Object)1Yes {1131F6AA-9C07-11D1-F79F-00C04FC2DCD2}Replicating Directory Changes
DC=sanao,DC=comACE 21NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS100Extended Right(s)0    5Allow (Object)1Yes {1131F6AB-9C07-11D1-F79F-00C04FC2DCD2}Replication Synchronization
DC=sanao,DC=comACE 22NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS100Extended Right(s)0    5Allow (Object)1Yes {1131F6AC-9C07-11D1-F79F-00C04FC2DCD2}Manage Replication Topology
DC=sanao,DC=comACE 23NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS10Read Prop(s)AYes Yes 5Allow (Object)3YesYes{B7C69E6D-2CC7-11D2-854E-00A0C983F608}tokenGroups{BF967ABA-0DE6-11D0-A285-00AA003049E2}user
DC=sanao,DC=comACE 24NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS10Read Prop(s)AYes Yes 5Allow (Object)3YesYes{B7C69E6D-2CC7-11D2-854E-00A0C983F608}tokenGroups{BF967A9C-0DE6-11D0-A285-00AA003049E2}group
DC=sanao,DC=comACE 25NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS10Read Prop(s)AYes Yes 5Allow (Object)3YesYes{B7C69E6D-2CC7-11D2-854E-00A0C983F608}tokenGroups{BF967A86-0DE6-11D0-A285-00AA003049E2}computer
DC=sanao,DC=comACE 26SANAO\Exchange Enterprise Servers20Write Prop(s)2Yes   5Allow (Object)1Yes {E48D0154-BCF8-11D1-8702-00C04FB96050}Public Information
DC=sanao,DC=comACE 27SANAO\Exchange Enterprise Servers20Write Prop(s)2Yes   5Allow (Object)1Yes {77B5B886-944A-11D1-AEBD-0000F80367C1}Personal Information
DC=sanao,DC=comACE 28SANAO\Exchange Enterprise Servers20Write Prop(s)2Yes   5Allow (Object)1Yes {9A9A021E-4A5B-11D1-A9C3-0000F80367C1}groupType
DC=sanao,DC=comACE 29SANAO\Exchange Enterprise Servers20Write Prop(s)2Yes   5Allow (Object)1Yes {BF967953-0DE6-11D0-A285-00AA003049E2}displayName
DC=sanao,DC=comACE 30SANAO\Exchange Enterprise Servers100Extended Right(s)0    5Allow (Object)1Yes {1131F6AC-9C07-11D1-F79F-00C04FC2DCD2}Manage Replication Topology
DC=sanao,DC=comACE 31SANAO\Exchange Enterprise Servers20094Read (incl. List Obj.)AYes Yes 5Allow (Object)2 Yes{BF967ABA-0DE6-11D0-A285-00AA003049E2}user
DC=sanao,DC=comACE 32SANAO\Exchange Enterprise Servers60094List Contents, Read Prop(s), List Object, Read Permissions, Modify PermissionsAYes Yes 5Allow (Object)2 Yes{BF967A9C-0DE6-11D0-A285-00AA003049E2}group
DC=sanao,DC=comACE 33SANAO\Exchange Enterprise Servers20094Read (incl. List Obj.)AYes Yes 5Allow (Object)2 Yes{4828CC14-1437-45BC-9B07-AD6F015E5F28}inetOrgPerson
DC=sanao,DC=comACE 34BUILTIN\Incoming Forest Trust Builders100Extended Right(s)0    5Allow (Object)1Yes {E2A36DC9-AE17-47C3-B58B-BE34C55BA633}Create Inbound Forest Trust
DC=sanao,DC=comACE 35BUILTIN\Pre-Windows 2000 Compatible Access20094Read (incl. List Obj.)AYes Yes 5Allow (Object)2 Yes{BF967ABA-0DE6-11D0-A285-00AA003049E2}user
DC=sanao,DC=comACE 36BUILTIN\Pre-Windows 2000 Compatible Access20094Read (incl. List Obj.)AYes Yes 5Allow (Object)2 Yes{4828CC14-1437-45BC-9B07-AD6F015E5F28}inetOrgPerson
DC=sanao,DC=comACE 37BUILTIN\Pre-Windows 2000 Compatible Access20094Read (incl. List Obj.)AYes Yes 5Allow (Object)2 Yes{BF967A9C-0DE6-11D0-A285-00AA003049E2}group
OU=Demo,DC=sanao,DC=comACE 1NT AUTHORITY\SYSTEMF01FFFull Control0    0Allow0  
OU=Demo,DC=sanao,DC=comACE 2SANAO\Domain AdminsF01FFFull Control0    0Allow0  
OU=Demo,DC=sanao,DC=comACE 3BUILTIN\Account Operators3Create Child(s), Delete Child(s)0    5Allow (Object)1Yes {BF967A86-0DE6-11D0-A285-00AA003049E2}computer
OU=Demo,DC=sanao,DC=comACE 4BUILTIN\Account Operators3Create Child(s), Delete Child(s)0    5Allow (Object)1Yes {BF967ABA-0DE6-11D0-A285-00AA003049E2}user
OU=Demo,DC=sanao,DC=comACE 5BUILTIN\Account Operators3Create Child(s), Delete Child(s)0    5Allow (Object)1Yes {BF967A9C-0DE6-11D0-A285-00AA003049E2}group
OU=Demo,DC=sanao,DC=comACE 6BUILTIN\Print Operators3Create Child(s), Delete Child(s)0    5Allow (Object)1Yes {BF967AA8-0DE6-11D0-A285-00AA003049E2}printQueue
OU=Demo,DC=sanao,DC=comACE 7NT AUTHORITY\Authenticated Users20094Read (incl. List Obj.)0    0Allow0  
OU=Demo,DC=sanao,DC=comACE 8NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS20094Read (incl. List Obj.)0    0Allow0  
OU=Demo,DC=sanao,DC=comACE 9BUILTIN\Account Operators3Create Child(s), Delete Child(s)0    5Allow (Object)1Yes {4828CC14-1437-45BC-9B07-AD6F015E5F28}inetOrgPerson
OU=Demo,DC=sanao,DC=comACE 10BUILTIN\AdministratorsF01BDFull Control except Delete Child(s) and Delete Subtree12Yes  Yes0Allow0  
OU=Demo,DC=sanao,DC=comACE 11SANAO\Enterprise AdminsF01FFFull Control12Yes  Yes0Allow0  
OU=Demo,DC=sanao,DC=comACE 12SANAO\Exchange Enterprise Servers4List Contents12Yes  Yes0Allow0  
OU=Demo,DC=sanao,DC=comACE 13BUILTIN\Pre-Windows 2000 Compatible Access4List Contents12Yes  Yes0Allow0  
OU=Demo,DC=sanao,DC=comACE 14NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS10Read Prop(s)1AYes YesYes5Allow (Object)3YesYes{B7C69E6D-2CC7-11D2-854E-00A0C983F608}tokenGroups{BF967ABA-0DE6-11D0-A285-00AA003049E2}user
OU=Demo,DC=sanao,DC=comACE 15NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS10Read Prop(s)1AYes YesYes5Allow (Object)3YesYes{B7C69E6D-2CC7-11D2-854E-00A0C983F608}tokenGroups{BF967A9C-0DE6-11D0-A285-00AA003049E2}group
OU=Demo,DC=sanao,DC=comACE 16NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS10Read Prop(s)1AYes YesYes5Allow (Object)3YesYes{B7C69E6D-2CC7-11D2-854E-00A0C983F608}tokenGroups{BF967A86-0DE6-11D0-A285-00AA003049E2}computer
OU=Demo,DC=sanao,DC=comACE 17SANAO\Exchange Enterprise Servers20Write Prop(s)12Yes  Yes5Allow (Object)1Yes {E48D0154-BCF8-11D1-8702-00C04FB96050}Public Information
OU=Demo,DC=sanao,DC=comACE 18SANAO\Exchange Enterprise Servers20Write Prop(s)12Yes  Yes5Allow (Object)1Yes {77B5B886-944A-11D1-AEBD-0000F80367C1}Personal Information
OU=Demo,DC=sanao,DC=comACE 19SANAO\Exchange Enterprise Servers20Write Prop(s)12Yes  Yes5Allow (Object)1Yes {9A9A021E-4A5B-11D1-A9C3-0000F80367C1}groupType
OU=Demo,DC=sanao,DC=comACE 20SANAO\Exchange Enterprise Servers20Write Prop(s)12Yes  Yes5Allow (Object)1Yes {BF967953-0DE6-11D0-A285-00AA003049E2}displayName
OU=Demo,DC=sanao,DC=comACE 21SANAO\Exchange Enterprise Servers20094Read (incl. List Obj.)1AYes YesYes5Allow (Object)2 Yes{BF967ABA-0DE6-11D0-A285-00AA003049E2}user
OU=Demo,DC=sanao,DC=comACE 22SANAO\Exchange Enterprise Servers60094List Contents, Read Prop(s), List Object, Read Permissions, Modify Permissions1AYes YesYes5Allow (Object)2 Yes{BF967A9C-0DE6-11D0-A285-00AA003049E2}group
OU=Demo,DC=sanao,DC=comACE 23SANAO\Exchange Enterprise Servers20094Read (incl. List Obj.)1AYes YesYes5Allow (Object)2 Yes{4828CC14-1437-45BC-9B07-AD6F015E5F28}inetOrgPerson
OU=Demo,DC=sanao,DC=comACE 24BUILTIN\Pre-Windows 2000 Compatible Access20094Read (incl. List Obj.)1AYes YesYes5Allow (Object)2 Yes{BF967ABA-0DE6-11D0-A285-00AA003049E2}user
OU=Demo,DC=sanao,DC=comACE 25BUILTIN\Pre-Windows 2000 Compatible Access20094Read (incl. List Obj.)1AYes YesYes5Allow (Object)2 Yes{4828CC14-1437-45BC-9B07-AD6F015E5F28}inetOrgPerson
OU=Demo,DC=sanao,DC=comACE 26BUILTIN\Pre-Windows 2000 Compatible Access20094Read (incl. List Obj.)1AYes YesYes5Allow (Object)2 Yes{BF967A9C-0DE6-11D0-A285-00AA003049E2}group

To better examine the results:
1. Right-click the table in IE and select Export to Microsoft Excel.
2. In Excel's Data menu, select Filter => AutoFilter.
3. Use the drop-down lists on the header row to see the selection of values
    or to filter rows.
4. Click cell B2.
5. In Excel's Window menu, select Freeze Panes.

Tip

Every now and then, use this script to take a snapshot of the permissions
in your domain. By comparing the snapshots, you can track any changes to the
permissions.

Color Legend

An Allow ACE that is non-inherited
An Allow ACE that is inherited
A Deny ACE that is non-inherited
A Deny ACE that is inherited

This report was generated at 11/1/2006 11:04:21 PM by ADReport,
a program by Sakari Kouti (see http://www.kouti.com)