AD DACL Functions: Sort, Compare, Add ACE, Delete ACE

From: Todd Johnson (tjohnson_at_cgisenior.com)
Date: 03/01/04

  • Next message: Oskarsson Mikael: "NTFS rights on a fileserver"
    Date: Mon, 1 Mar 2004 15:57:25 -0600
    
    

    We're developing a web app that uses in-house created, custom AD objects and
    are in need of several AD DACL modification & sanity check functions.

    I've seen various samples from MSDN, TechNet, etc that can Add/Remove/Sort
    ACEs in a DACL but there seems to be no comprehensive Microsoft utilites /
    functions / samples to do this.

    I'm familiar with ADSI and AD programming using VB & VBScript, but just
    don't have the time to interpret all the various samples, documentation, etc
    and develop the solution in the next couple of days.

    I need to be able to perform the following functions repetitively in a
    vbscript-based (asp, wsh, etc) adminstrative app:

    1. Read/List/Dump ACE entries in a DACL for several object types (OUs,
    users, groups, custom objects)
    2. A "windiff-like" compare for previous object DACL dumps to current
    DACLs. For "sanity checks" or AD security verifications.
    3. Set an ACE in the DACL (properly sorted and walk the subtree setting
    current objects).
    4. Remove an ACE from the DACL.
    5. Interpret the AD Constants / hex values and output the ACE Types & Flags
    into something the end-user admin will understand.
    Example: ADS_RIGHT_GENERIC_READ = &H80000000. Most AD admins don't have a
    clue what the hex value means, so we'll need at least output the Constant
    name for them.

    Modifying DACLs is needed very soon. SACL modifications will likely be
    needed in the future.

    I'm currently in the process of "digesting" and modifying the sample from a
    current TechNet (02/2004) article: PSS ID Number: 269159

    Hoping that somone has already been through this effort...

    Thanks in advance.


  • Next message: Oskarsson Mikael: "NTFS rights on a fileserver"

    Relevant Pages

    • Audit Exchange Permissions script
      ... ' Extract the Discretionary Access Control List (DACL) using the ... Set ace = CreateObject ... ' ACEs on a DACL for the Exchange 2000 mailbox. ... 'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ...
      (microsoft.public.scripting.vbscript)
    • Re: Give mailbox rights to other user
      ... I am trying to give other user full control rights to some else mailbox. ... ' Extract the Discretionary Access Control List (DACL) using the ... Set ace = CreateObject ... for the Exchange 2003/2000 mailbox with the Trustee specified in sTrustee, ...
      (microsoft.public.exchange.development)
    • Re: Audit Exchange Mailbox Permissions IMailboxStore
      ... this works by specifying the dn for eachmailboxyou wish to query. ... ' Extract the Discretionary Access Control List (DACL) using the ... Set ace = CreateObject ... 'wscript.echo "Trustee, AccessMask, ACEType, ACEFlags, Flags, ...
      (microsoft.public.windows.server.scripting)
    • Strange behavior when setting ACL on NTFS Folder
      ... ACE entry on it, using the right-click properties Explorer UI. ... I create a "patient" folder under acltest using the first pasted ... actually write them out into whatever Security mechanism NTFS ... 'Specified User or Group was NOT found in the existing DACL. ...
      (microsoft.public.scripting.vbscript)
    • Strange behavior when setting ACL on NTFS Folder
      ... ACE entry on it, using the right-click properties Explorer UI. ... I create a "patient" folder under acltest using the first pasted ... actually write them out into whatever Security mechanism NTFS ... 'Specified User or Group was NOT found in the existing DACL. ...
      (microsoft.public.win32.programmer.wmi)