Write DACL


The Source security principal has the permission to change the permissions of the Target object in the Discretionary Access Control List (DACL). This allows the Source to obtain for themselves, or give to someone else, additional rights and ultimately compromise the Target object.


Attackers who compromise the Source security principal only have to edit the Target object's security descriptor using native Windows commands such as "dsacls", PowerShell such as "Set-ACL", administration tools such as "Active Directory Users and Computers", or dedicated hacker tools such as PowerSploit.


If the Source security principal does not have legitimate permission to change the permissions of the Target object, then you must remove this permission.

To modify the Target object's security descriptor:

  1. In "Active Directory Users and Computers", right-click the object then Properties > Security > Advanced.

  2. Remove the "Modify permissions" permission for the Source security principal.

Note: An object can inherit this permission from an object higher in the Active Directory tree.

See also