Protect from Accidental Deletion

[IsaiahSHanson]

Hi! I’ve tried looking through the docs but could figure how to set any security descriptors. What
I’m trying to do specifically is protect an OU from accidental deletion. Any assistance appreciated!

[zorn96]

hi @isaiahh1013 ! so you'll obviously want to create a session, then you'll want to use the function set_object_security_descriptor - the docs for it can be found here: https://ms-active-directory.readthedocs.io/en/latest/ad_session.html

so you'll need to create the OU first, and then read and modify the security descriptor afterwards. when you're creating an OU directly in the interface on a domain controller, the checkbox for "protect from accidental deletion" will modify the default security descriptor at creation time.
however, knowing the default security descriptor involves computation of domain policies, inherited ACEs, etc. and would be very very complicated for you to do, since it seems like you're not totally familiar with ACEs. so I'd recommend doing it as a 2 step create + update

once you create the OU, you can get its security descriptor using find_security_descriptor_for_object and passing in the LDAP distinguished name of the OU (e.g. OU=example-org,DC=example,DC=com).
this will return a SelfRelativeSecurityDescriptor

now, I haven't actually created helpers specifically for DENY ACEs, and I apologize for that. they're not super commonly used, but I'll add helpers for them in the future.
so what you'll want to do next is create new DENY ACEs for deletion by looking at the function create_ace_for_allow_access and modeling what you do after that (but using the AccessDeniedAce instead of AccessAllowedAce)
you'll want to use WellKnownSID.EVERYONE as the SID to deny access to so that nobody can delete the object without removing that ACE first (which requires admin/owner privileges)

then you can prepand that ace to the DACL of the SelfRelativeSecurityDescriptor that got returned earlier by doing my_returned_sec_descriptor['Dacl'].prepend_ace(the_ace_you_just_made) (deny aces go first, so we prepend)
and then you can call set_object_security_descriptor with the LDAP distinguished name of the OU and pass in your modified security descriptor my_returned_sec_descriptor

sorry this isn't simpler - ACLs in active directory are inherently fairly complex. if you want me to review your code once you implement the above, feel free to post it in this thread and I can take a look.
I'm planning to do some work on this library in the next few days as I have some time off, so I'll look at making this easier

[IsaiahSHanson]

Thank you so much! I will see if I can implement this in code. This is my first time touching the security descriptors so we will see if I can get this to work. Will you let me know if this is implemented in this library? I would be glad to test

[IsaiahSHanson]

@zorn96 Currently, I am struggling to create an ADSession. What I currently have is:

session = ADSession(ldap_connection=conn, domain='domain.com')

The error that shoots out is failing on line 113 in ad_session.py: 'str' object has no attribute 'get_domain_dns_name'

[IsaiahSHanson]

Disregard, I forgot to create an ADDomain object.

However, I'm not finding a function called create_ace_for_allow_access(). Could you clarify where to find this?

[zorn96]

create_ace_for_allow_access is in the security_descriptor_utils module. so the import would be

from ms_active_directory.environment.security.security_descriptor_utils import create_ace_for_allow_access

[IsaiahSHanson]

Thank you @zorn96! I will continue to work on my code next week to see if I can officially pull this off. Your module seems to be very well written. I would like to keep issue open in the event I have issues. The current issue I'm having is calling the deny ace function you have. It's asking for an access mask object to which I love tried but fail to do. Could you give me an example of how to use it?

[IsaiahSHanson]

Hi @zorn96 ! I tried coding up your process that you sent me, however I'm having trouble now setting the descriptor. Do you by chance have any code I can mock to create this process? I'm stuck at the part for setting the ace on the OU after I prepended the new ACL. Also, how would I pull your dev branch? Thank you!

[IsaiahSHanson]

Hi @zorn96 . I managed to get this to work. Do you have an eta on when this could be pushed to main branch?

[aabuhasna]

Hi @isaiahh1013, would you please share a code sample to view the status of this property

[IsaiahSHanson]

This thread is still unresolved. We got close, but no solution yet.