AD DACL Functions: Sort, Compare, Add ACE, Delete ACE

From: Todd Johnson (
Date: 03/01/04

  • Next message: Oskarsson Mikael: "NTFS rights on a fileserver"
    Date: Mon, 1 Mar 2004 15:57:25 -0600

    We're developing a web app that uses in-house created, custom AD objects and
    are in need of several AD DACL modification & sanity check functions.

    I've seen various samples from MSDN, TechNet, etc that can Add/Remove/Sort
    ACEs in a DACL but there seems to be no comprehensive Microsoft utilites /
    functions / samples to do this.

    I'm familiar with ADSI and AD programming using VB & VBScript, but just
    don't have the time to interpret all the various samples, documentation, etc
    and develop the solution in the next couple of days.

    I need to be able to perform the following functions repetitively in a
    vbscript-based (asp, wsh, etc) adminstrative app:

    1. Read/List/Dump ACE entries in a DACL for several object types (OUs,
    users, groups, custom objects)
    2. A "windiff-like" compare for previous object DACL dumps to current
    DACLs. For "sanity checks" or AD security verifications.
    3. Set an ACE in the DACL (properly sorted and walk the subtree setting
    current objects).
    4. Remove an ACE from the DACL.
    5. Interpret the AD Constants / hex values and output the ACE Types & Flags
    into something the end-user admin will understand.
    Example: ADS_RIGHT_GENERIC_READ = &H80000000. Most AD admins don't have a
    clue what the hex value means, so we'll need at least output the Constant
    name for them.

    Modifying DACLs is needed very soon. SACL modifications will likely be
    needed in the future.

    I'm currently in the process of "digesting" and modifying the sample from a
    current TechNet (02/2004) article: PSS ID Number: 269159

    Hoping that somone has already been through this effort...

    Thanks in advance.

  • Next message: Oskarsson Mikael: "NTFS rights on a fileserver"