search

ANSSI-FR / AD-control-paths

Active Directory Control Paths auditing and graphing tools
https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/
Other
655 stars 99 forks source link

Improving the performance of the export of security descriptors #2

Closed vletoux closed 9 years ago

vletoux commented 9 years ago

Hi,

I'm looking about LdapDump (Dump\Src\LdapDump) to be able to quickly export the extended permissions which were set on the AD. Indeed, you've made an amazing work and using the ldap interface, you are using the quickest path I know.

But it is running very slow on my big AD & on a workstation and I wanted to understand why (#1). I plan to run it very often to catch if somebody did modify some permissions. I've put a break and found out that the results are not pagged (only one result per page).

debugger

Is this problem related to the DC (configuration, ...) or something related to the program itself ? (said otherwise: can you reproduce this problem ?)

regards, Vincent

eg-anssi commented 9 years ago

Hello,

It's not related to the DC configuration, it is the program itself. During development, we encountered bogus results when setting PageSize to big values in ldap_get_next_page_s(). That's why it is defined to 1 (see AD_LDAP_SEARCH_LIMIT definition).

This setting should not hurt performance too much. However, dumping is slow on big Active Directories, this is a known issue.