Showing Hidden Attributes in Active Directory Advanced Security

Summary

Most Active Directory object types have hundreds, if not thousands, of attributes. It's obviously not reasonable to put them all in the GUI, and even though Microsoft did everyone a favor by introducing the Attribute Editor tab in Server 2008, that doesn't help those looking to manage access to those attributes in the Advanced Security section. Yes, the security assignment can be done via PowerShell, but I often encounter users who aren't familiar with its syntax/output, and a screenshot showing checkboxes is far more useful than trying to explain a block of PowerShell text.

There are ways to display attributes via Active Directory Users and Computers (ADUC) by modifying the schema, but customizing the schema is bad (mmkay?), and we're more concerned with displaying these attributes in the Advanced Security list than on reporting the values in them. Thankfully, we can accomplish this on a per-client basis without affecting the directory itself: the dssec.dat file.

Assuming your computer has the default Windows install path and the Active Directory RSAT tools have been enabled, the dssec.dat file should be located under C:\Windows\system32, and you don't even need to unhide protected system files to see it. It contains display information for 10,000+ attributes for ADUC on that client, and this is where you can make the change to view the ones you want. Now is when I remind you to make a backup of the original dssec.dat file so you can revert at any time. I usually save a copy in the same directory and append _orig to the file name so it's always handy.

Each attribute is followed by a display code; here are the ones you care about:

• 7: Filtered
• 0: Display both Read and Write options
• 1: Display only Read option
• 2: Display only Write option

For most purposes, you'll want to define 0, if for no other reason than to keep it standard with every other attribute in the Advanced Security list. Again, this will only be active on the machines that have the modified dssec.dat file, so you don't have to worry about exposing the option for other users. That said, exposing the option shouldn't be a big deal if you've secured your directory correctly since unauthorized users won't be able to set it.

Example 1

I want to expose the City attribute in Advanced Security to prove to a developer their service account does indeed have the ability to write it.

After making a backup copy of the dssec.dat file and opening it in Notepad, I navigate to the [user] section and find the l (lower case L) attribute, which is the actual name for City. I change the code from 7 to 0 and save the file.

After closing all open instances of ADUC, I open the tool and am now able to send the developer a screenshot proving it has the ability to write the attribute.

Example 2

I want to grant the ability to create/modify/delete groupOfNames objects to a vendor's service account in a specified OU and send them confirmation their service account has the requested permissions.

After making a backup copy of the dssec.dat file and opening it in Notepad, I navigate to the [groupOfNames] section and remove the @=7 entry. "@" is a common self-referential character, and in this case, it is dictating whether the Create and Delete options are available in the standard Permissions section in Advanced Security for groupOfName objects.

After closing all open instances of ADUC, I open the tool and am now able to show the service account has both create/delete and manage permissions.