Results 1 to 6 of 6

Thread: AD corruption?

  1. #1
    Join Date
    Jun 2004

    AD corruption?

    if i run dumpsec on an XP machine to query or dump out user information from a Win2k server running Active Directory, will it corrupt anything on the AD ?

  2. #2
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002

    Well ... dumpsec ...can't say that I've got much experience with it..I've seen it used once in a presentation on security but not in depth ... as far as corruption ..never heard any reports about it corrupting the AD. But maybe someone on this forum has.

    Anyway ..Google turned up quite some sites about dumpsec ... I know it's always nice to hear from someone first hand but here is a link to some kind of review about dumpsec : LINK .

    Offcourse there are many more links ... I would advise to read some of them ... but perhaps you allready done that and are looking for some hand on experience from someone?

    Hope this helps somewhat,

    Back when I was a boy, we carved our own IC's out of wood.

  3. #3
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    After checking out microsofts technet site I found this article. link
    Apparently Microsoft see's no problem with using dumpsec and I never had a problem with the tools from systemtools so i reckon you should be ok.

    What's the best tool to dump ACLs?
    Q: I was wondering if there were any tools or techniques to list existing permissions for a given group name across a Windows NT domain. Ours is a particularly large domain and we regularly review permissions using DumpACL, but I was looking for something a little more convenient than manually searching ACLs for an instance of a particular group name. A command line utility that could pipe the result to a text file would be nice.

    A: There is a tool that will do exactly what you need, and it's surprisingly close at hand. By the wording of your question, I have to assume that you are using the graphical interface for DumpACL (now called DumpSec to manually search through file access control lists (ACLs) to identify the group in question. Many are not aware that DumpSec also operates in command-line mode and can generate reports in a number of text file formats. Using DumpSec in command-line mode is as simple as calling it from a command line rather than launching it from Windows Explorer. The following example will run DumpSec in batch mode (the command shown here is line-wrapped for legibility):

    C:\dumpsec> dumpsec.exe /computer=\\server1 /rpt=allsharedirs

    /outfile=c:\reports\output.txt /saveas= tsv

    This report will dump the permissions for all non-administrative shares on \\server1, and it assumes you already have an existing network connection to \\server1 with appropriate privileges (for example, connect to \\server1\IPC$ as Administrator). The report will show owner and permissions but not audit settings, and it is saved as the tab separated value ("tsv") file c:\reports\output.txt. This command could easily be scripted to check a list of servers on a regular basis. Now all you have to do is findstr this output file for the group name that you are interested in, and all relevant references should pop up. For example, to find all occurrences of the "Power Users" group, you could use:

    C:\ dumpsec>findstr /C:"Power Users" c:\reports\output.txt

    \\server1\share1\ server1\Power Users RWXD RWXD

    \\server1\docs\ server1\Power Users o all all

    This pulls each line of the DumpSec output that contains "Power Users," as shown. I have not added the column headers from the original DumpSec report here, but from right to left they are: shared directory/file, Account, Owner, Directory Permissions, and File Permissions. So from the findstr output, we see that for the \\server1\docs share, Power Users are the owner, and they have all permissions for the directory and files therein.

    I hope this gets you started on automating the process of reviewing permissions. Don't forget that DumpSec can also probe many other aspects of Windows NT/Windows 2000 security in the same way, including users, groups, the Registry, printers, policies, rights, and services.

    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  4. #4
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Button Moon
    In a nut shell......no, it wont corrupt anything on your AD.
    Drugs have taught an entire generation of kids the metric system.


  5. #5
    Senior Member
    Join Date
    Oct 2001
    Bad hardware, specifically disk drives/controllers failing, and bad LDAP scripting/programming is the only thing that I've run across that can corrupt an AD database.

  6. #6
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Ft. Myers, FL
    I have an XP SP2 laptop connected to our W2K domain with 3 AD servers. I have run Dumsec several times with no problems.
    Work... Some days it's just not worth chewing through the restraints...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts