Based on this I use library https://github.com/Tirasa/ADSDDL for manipulating SDDL
implementation("net.tirasa:adsddl:1.9")
To enable flag user cannot change password
I use following code line:
SDDLHelper.userCannotChangePassword(sddl, true)
But when I go to Windows ADAC (Active Directory Administrative Center) I see the message that my aces are not in canonical order and it offers me to reorder them.
As a result I get the following aces in DACL:
P(OA;;[16];4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;[16];5f202010-79a5-11d0-9020-00c04fc2d4cf;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;[16];bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;[16];037088f8-0ae1-11d2-b422-00a0c968f939;;S-1-5-21-1313564838-424579665-4250201628-553)
(OA;;WP[16];bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-1313564838-424579665-4250201628-517)
(OA;;[16];46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)
(OA;;WP[16];6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)
(OA;;WP[16];5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;[16];59ba2f42-79a2-11d0-9020-00c04fc2d3cf;;S-1-5-11)
(OA;;[16];e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-11)
(OA;;[16];77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-11)
(OA;;[16];e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-11)
(OA;;WP[16];77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-10)
(OA;;WP[16];e45795b2-9455-11d1-aebd-0000f80367c1;;S-1-5-10)
(OA;;WP[16];e45795b3-9455-11d1-aebd-0000f80367c1;;S-1-5-10)
(A;;WOWDRCSDCRWP[223];;;S-1-5-21-1313564838-424579665-4250201628-512)
(A;;WOWDRCSDCRWP[223];;;S-1-5-32-548)
(A;;RC;;;S-1-5-11)
(A;;RC[148];;;S-1-5-10)
(A;;WOWDRCSDCRWP[223];;;S-1-5-18)
(OA;CIIOID;[16];4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];4c164200-20c0-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIOID;[16];037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIID;[16];037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIID;WP[16];5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-1313564838-424579665-4250201628-526)
(OA;CIID;WP[16];5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-1313564838-424579665-4250201628-527)
(OA;CIIOID;[8];9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-3-0)
(OA;CIIOID;[8];9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)
(OA;CIIOID;[16];b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-9)
(OA;CIIOID;[16];b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-9)
(OA;CIID;[16];b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-9)
(OA;CIIOID;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-10)
(OA;CIIOID;RC[148];;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-32-554)
(OA;CIIOID;RC[148];;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIID;RC[148];;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-32-554)
(OA;CIIDOI;WP[16];3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;S-1-5-10)
(OA;CIID;CRWP[16];91e647de-d96f-4b70-9557-d63ff4f3ccd8;;S-1-5-10)
(A;CIID;WOWDRCSDCRWP[223];;;S-1-5-21-1313564838-424579665-4250201628-519)
(A;CIID;[4];;;S-1-5-32-554)
(A;CIID;WOWDRCSDCRWP[157];;;S-1-5-32-544)
I've understood the root cause is in fragment:
(OA;;WP[16];5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-1-0)
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;;S-1-5-10)
As I understood all OD
should be before all OA
. But I want to decide the general issue and implement sorting. Where can I find all rules for sorting ?
I've found this but I don't understand what is:
Explicit ACEs
Deny ACEs
Regular ACEs
object ACEs
How can I identify them in code.
You are actually asking how you can identify these types in the code. you can inspect the SDDL strings for patterns / specific ACE types. FYI, Deny ACEs typically begin with "D:" in the SDDL, while Allow ACEs start with "A:". So you examine the prefixes
I wrote a small demo in C++ and here it is: