AD DACL Functions: Sort, Compare, Add ACE, Delete ACE

• Previous message: burano: "Passproop Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 1 Mar 2004 15:57:25 -0600

We're developing a web app that uses in-house created, custom AD objects and
are in need of several AD DACL modification & sanity check functions.

I've seen various samples from MSDN, TechNet, etc that can Add/Remove/Sort
ACEs in a DACL but there seems to be no comprehensive Microsoft utilites /
functions / samples to do this.

I'm familiar with ADSI and AD programming using VB & VBScript, but just
don't have the time to interpret all the various samples, documentation, etc
and develop the solution in the next couple of days.

I need to be able to perform the following functions repetitively in a
vbscript-based (asp, wsh, etc) adminstrative app:

1. Read/List/Dump ACE entries in a DACL for several object types (OUs,
users, groups, custom objects)
2. A "windiff-like" compare for previous object DACL dumps to current
DACLs. For "sanity checks" or AD security verifications.
3. Set an ACE in the DACL (properly sorted and walk the subtree setting
current objects).
4. Remove an ACE from the DACL.
5. Interpret the AD Constants / hex values and output the ACE Types & Flags
into something the end-user admin will understand.
Example: ADS_RIGHT_GENERIC_READ = &H80000000. Most AD admins don't have a
clue what the hex value means, so we'll need at least output the Constant
name for them.

Modifying DACLs is needed very soon. SACL modifications will likely be
needed in the future.

I'm currently in the process of "digesting" and modifying the sample from a
current TechNet (02/2004) article: PSS ID Number: 269159

Hoping that somone has already been through this effort...

Thanks in advance.

• Previous message: burano: "Passproop Identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]