How to sort SDDL DACL aces in canonical order?

247 views Asked by At

Based on this I use library https://github.com/Tirasa/ADSDDL for manipulating SDDL

implementation("net.tirasa:adsddl:1.9")

To enable flag user cannot change password I use following code line:

SDDLHelper.userCannotChangePassword(sddl, true)

But when I go to Windows ADAC (Active Directory Administrative Center) I see the message that my aces are not in canonical order and it offers me to reorder them.
As a result I get the following aces in DACL:

P(OA;;[16];4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;[16];5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;[16];bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;[16];037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;WP[16];bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-1313564838-424579665-4250201628-517)
(OA;;[16];46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)
(OA;;WP[16];6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)
(OA;;WP[16];5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;[16];59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;S-1-5-11)
(OA;;[16];e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-11)
(OA;;[16];77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-11)
(OA;;[16];e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-11)
(OA;;WP[16];77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-10)
(OA;;WP[16];e45795b2-9455-11d1-aebd-0000f80367c1;;S-1-5-10)
(OA;;WP[16];e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-10)
(A;;WOWDRCSDCRWP[223];;;S-1-5-21-1313564838-424579665-4250201628-512)
(A;;WOWDRCSDCRWP[223];;;S-1-5-32-548)
(A;;RC;;;S-1-5-11)
(A;;RC[148];;;S-1-5-10)
(A;;WOWDRCSDCRWP[223];;;S-1-5-18)
(OA;CIIOID;[16];4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIID;WP[16];5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-1313564838-424579665-4250201628-526)
(OA;CIID;WP[16];5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-1313564838-424579665-4250201628-527)
(OA;CIIOID;[8];9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)
(OA;CIIOID;[8];9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)
(OA;CIIOID;[16];b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)
(OA;CIIOID;[16];b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)
(OA;CIID;[16];b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)
(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)
(OA;CIIOID;RC[148];;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIIOID;RC[148];;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIID;RC[148];;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIDOI;WP[16];3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)
(OA;CIID;CRWP[16];91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)
(A;CIID;WOWDRCSDCRWP[223];;;S-1-5-21-1313564838-424579665-4250201628-519)
(A;CIID;[4];;;S-1-5-32-554)
(A;CIID;WOWDRCSDCRWP[157];;;S-1-5-32-544)

I've understood the root cause is in fragment:

(OA;;WP[16];5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)

As I understood all OD should be before all OA. But I want to decide the general issue and implement sorting. Where can I find all rules for sorting ?

I've found this but I don't understand what is:

Explicit ACEs
Deny ACEs
Regular ACEs
object ACEs

How can I identify them in code.

1

There are 1 answers

0
Michael Haephrati On

You are actually asking how you can identify these types in the code. you can inspect the SDDL strings for patterns / specific ACE types. FYI, Deny ACEs typically begin with "D:" in the SDDL, while Allow ACEs start with "A:". So you examine the prefixes

I wrote a small demo in C++ and here it is:

#include <iostream>
#include <algorithm>
#include <vector>

// Your ACE structure
struct ACE
{
    std::string type;        // "OA" -> Allow, "OD" -> Deny
    std::string rights;      // Access rights
    std::string objectType;  // Object type (optional - if applicable)
    std::string trustee;     // Trustee identifier
};

// Comparator function for sorting ACEs
bool compareACEs(const ACE& ace1, const ACE& ace2)
{
    // Use your own sorting here. This is just an example...
    if (ace1.type != ace2.type)
    {
        return ace1.type < ace2.type;
    }
    if (ace1.rights != ace2.rights)
    {
        return ace1.rights < ace2.rights;
    }
    return ace1.trustee < ace2.trustee;
}

int main()
{
    // Sample ACEs
    std::vector<ACE> aces = 
    {
        {"OA", "WP[16]", "", "S-1-5-32-561"},
        {"OD", "CR", "", "S-1-1-0"},
        {"OD", "CR", "", "S-1-5-10"},
        {"OA", "CR", "", "S-1-5-10"}
        // Here you can add more ACEs as needed
    };

    // Sort the ACEs using the compareACEs function where you put your own sorting
    // scheme.
    std::sort(aces.begin(), aces.end(), compareACEs);

    // our output
    for (const auto& ace : aces)
    {
        std::cout << "(" << ace.type << ";;" << ace.rights << ";" << ace.objectType << ";;" << ace.trustee << ")" << std::endl;
    }

    return 0;
}