ACL Parsing

ACEs are included in the Aces array of all AD objects. They are built by ParseBinaryACL(), which parses the nTSecurityDescriptor binary attribute using the TheManticoreProject/winacl library.

ACE attributes:

• PrincipalSID: SID from the ACE trustee
• PrincipalType: Resolved object type (User, Group, Computer, etc.) via ResolveACETypes() using SIDCache
• RightName: Determined from ACE mask and object GUID:
  • Standard Rights: GenericAll, WriteDacl, WriteOwner, GenericWrite, ReadControl
  • Extended rights: GetChanges, GetChangesAll, GetChangesInFilteredSet, UserForceChangePassword, AllowedToAct, AddKeyPrincipal, Enroll
  • Attribute-specific: WriteMember, WriteGPLink, WriteSPN, WritePKINameFlag, WritePKIEnrollmentFlag
  • Mapped via GUID comparison with ACEGuids map
• IsInherited: Extracted from ACE flags
• InheritanceHash: Computed via CalculateInheritanceHash() using SHA1 of (SID + Rights + ACE Type + Inherited Object Type)
• IsPermissionForOwnerRightsSid: Check if SID is the OWNER_RIGHTS SID (S-1-3-4) and ACE is not inherited
• IsInheritedPermissionForOwnerRightsSid: Check if SID is OWNER_RIGHTS and ACE is inherited

Special ACE handling:

• GMSA Readers: Parsed from msDS-GroupMSAMembership binary attribute via ParseGMSAReaders() for user objects
• RBCD: Parsed from msDS-AllowedToActOnBehalfOfOtherIdentity for computer objects, filtered for GenericAll to populate AllowedToAct
• AdminSDHolder Protection: Security descriptor hash compared with domain's AdminSDHolder object hash to determine if object is protected