4. DACLs
You can look up the ACEs in the DACL of a specific object by typing the object's sAMAccountName or DN in the input field and hitting ENTER:
Note that messing with ACEs can lead to unexpected results, especially if done in sensitive objects like the root of a domain, and without proper testing. Please test whatever modifications you try to perform in ACEs before doing so, and create an issue if you find any bugs.
You can create a new ACE in the found DACL by using the Ctrl+N keybinding.
The first step is to choose the ACE Kind for the ACE you want to create:
Then write the target for your ACE under the Principal field. In AD, this can typically be a computer or user principal. Hit ENTER afterwards, to make sure godap will map the correct Trustee field in the preview.
Then you can specify the remaining fields Type/No Propagate/Applies To, specify the desired privileges under Permissions, review the New ACE, and finally click Update to effectively add the ACE.
You can also edit an existing ACE in the found DACL by selecting it and using the Ctrl+E keybinding. The mechanics of this page are the same as in the Creating an ACE page, with the exception that the Current ACE panel and the current ACE settings on the left will be prefilled with the values of the current ACE.
To delete an ACE simply select it and hit the Delete keybinding. You must confirm the removal before applying the action:
The raw security descriptor of an object, along with its parsed DACL, can be exported to a JSON file by just selecting the DACL panel after the search and hitting Ctrl+S:
- Parsing DACLs is hard and this module is very experimental. Most of my use cases seem to work well and we haven't had critical issues yet, so I assume everything is working, but there might be some bugs.
- In particular, it's hard to keep track of the current list of GUIDs for every AD permission, so
godapcan receive an optional-sflag in the command-line to make it query the current GUIDs from the Schema partition after connecting. This flag can make more permissions show up with the "right text" in the DACL page.