DACL & Active Directory

Hi,

If someone can help with suggestion.

Problem:

I want to set permissions on OU for group.

I want give this group permission to create user, group and OU objects and also give Full permission over those objects.

I almost succeeded but I have problem with giving Full control over user and group objects(I attached screenshoot) and can't find what I'm missing.
I always get 'Apply to' = Special, I checked GUID but everything seems OK.
For OU works fine.

Code:

'http://msdn.microsoft.com/en-us/library/ms683980(VS.85).aspx
Dim userGUID As New Guid("{bf967aba-0de6-11d0-a285-00aa003049e2}")
Dim groupGUID As New Guid("{bf967a9c-0de6-11d0-a285-00aa003049e2}")
Dim OrganizationalUnitGUID As New Guid("{bf967aa5-0de6-11d0-a285-00aa003049e2}")


AD.AddAccessRule("LDAP://"; + strPOU, AD.NTaccountToSID("Padmins_" + intPacketID.ToString), _
DirectoryServices.ActiveDirectoryRights.GenericAll, _
System.Security.AccessControl.AccessControlType.Allow, _
DirectoryServices.ActiveDirectorySecurityInheritance.SelfAndChildren, _
userGUID)

AD.AddAccessRule("LDAP://"; + strPOU, AD.NTaccountToSID("Padmins_" + intPacketID.ToString), _
DirectoryServices.ActiveDirectoryRights.GenericAll, _
System.Security.AccessControl.AccessControlType.Allow, _
DirectoryServices.ActiveDirectorySecurityInheritance.SelfAndChildren, _
groupGUID)

'OU --> THIS WORK OK
AD.AddAccessRule("LDAP://"; + strPOU, AD.NTaccountToSID("Padmins_" + intPacketID.ToString), _
DirectoryServices.ActiveDirectoryRights.GenericAll, _
System.Security.AccessControl.AccessControlType.Allow, _
DirectoryServices.ActiveDirectorySecurityInheritance.SelfAndChildren, _
OrganizationalUnitGUID)


Sub AddAccessRule(ByVal organizationalUnitName As String, ByVal AccountSID As SecurityIdentifier, ByVal adRights As ActiveDirectoryRights, ByVal acType As AccessControlType, ByVal iFlags As ActiveDirectorySecurityInheritance, ByVal strGUID As Guid)

Dim myEntry As New DirectoryEntry(organizationalUnitName)
Dim ADsd As ActiveDirectorySecurity
Dim rule As ActiveDirectoryAccessRule

rule = New ActiveDirectoryAccessRule(AccountSID, adRights, acType, iFlags, strGUID)

ADsd = myEntry.ObjectSecurity

ADsd.AddAccessRule(rule)

myEntry.CommitChanges()
myEntry.Dispose()

End Sub


Attachment: ADsec-1.png
Description: PNG image

Relevant Pages

  • Re: DACL & Active Directory
    ... GUI first and then reverse engineer the actual ACEs you need to set in the ... Dim OrganizationalUnitGUID As New ... As SecurityIdentifier, ByVal adRights As ActiveDirectoryRights, ByVal ... Dim myEntry As New DirectoryEntry ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: VBScript runtime error: 800A0046 Permission denied: GetObject
    ... Can you get it to echo the strDomain, strUserName values? ... Dim SMSNetwork ... "Domain Admins") Then MapLDrive = FALSE ... Directory I need to go to re-establish permission. ...
    (microsoft.public.windows.server.active_directory)
  • Re: security/strong name/zones clarification needed
    ... Dim zz As New System.Security.PermissionSet ... >> When assemblies are ... >>>needs to host the CLR, it creates an AppDomain, but due ... >>>will recieve the permission grant you expect (in this ...
    (microsoft.public.dotnet.security)
  • Re: Read Exchange calendar with a VB script
    ... I thought it might be a permission ... Is there any other way to access the mailboxes ... > Dim objSession As MAPI.Session ... > Dim objMessages As MAPI.Messages ...
    (microsoft.public.win32.programmer.messaging)
  • Re: System.IO.File.Copy + NTFS Streams + special ACLs
    ... See the Secure Class Libraries and Requesting permission links. ... Sub CopyFileWithoutStreams(ByVal sourceFileName As String, ByVal destFileName As String, Optional ByVal buffersize As Integer = &HFFFFUI) ... Dim sr As New System.IO.FileStream(sourceFileName, ... End Sub ...
    (microsoft.public.dotnet.languages.vb)