LOL. No problem. My new lab here at home is definitely in the experiment
stage. The only part that is set up in a semi-permanent way is my Onkyo
TX-SR601/JVC XL-F215 and Bose 701's so I have music to help set up the
rest. As for the computer stuff I have network cables strung about the
room so it looks like I am having a limbo contest (looking for wire
wraps so I can run them right...). :o) To add to the madness I added a
new WAP (G type) to add to my B-Type and my other switches/hubs. It was
getting too easy otherwise. :op
To bring this slightly back on topic here is a copy of the perl script.
Not sure if this is the latest version but seems to produce a good
amount of output. :op Very raw output, if you don't have some idea of
ACL and ACE's oh my already then it may be a trifle overwhelming.
Verbose and debug modes more so but gives people values for GUIDs and
such so if they want to generate their own ACE's they can use this tool
to dump one to see what values they need to pump in.
Here is snippet of a sample:
F:\temp>perl perlchksec.pl cn=anon,d,dc=joehome,dc=com
PerlChkSec V01.00.00pl Joe Richards ([EMAIL PROTECTED]) June 2002
Control : 35844
ADS_SD_CONTROL_SE_DACL_PRESENT
ADS_SD_CONTROL_SE_DACL_AUTO_INHERITED
ADS_SD_CONTROL_SE_SACL_AUTO_INHERITED
Group : JOEHOME\Schema Admins
Owner : JOEHOME\Domain Admins
Default Owner : 0
Revision : 1
ACE
Trustee : JOEHOME\Domain Admins
Ace Type : ADS_ACETYPE_ACCESS_ALLOWED
Ace Flag : 0
Access Mask : 983551
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DELETE
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_SELF
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_DS_CREATE_CHILD
ACE
Trustee : NT AUTHORITY\SYSTEM
Ace Type : ADS_ACETYPE_ACCESS_ALLOWED
Ace Flag : 0
Access Mask : 983551
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DELETE
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_SELF
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_DS_CREATE_CHILD
ACE
Trustee : BUILTIN\Account Operators
Ace Type : ADS_ACETYPE_ACCESS_ALLOWED
Ace Flag : 0
Access Mask : 983551
ADS_RIGHT_WRITE_OWNER
ADS_RIGHT_WRITE_DAC
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DELETE
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_SELF
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_DS_CREATE_CHILD
ACE
Trustee : NT AUTHORITY\SELF
Ace Type : ADS_ACETYPE_ACCESS_ALLOWED
Ace Flag : 0
Access Mask : 131220
ADS_RIGHT_READ_CONTROL
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_ACTRL_DS_LIST
ACE
Trustee : NT AUTHORITY\SELF
Ace Type Flags : ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType : Change Password
Ace Type : ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
Ace Flag : 0
Access Mask : 256
ADS_RIGHT_DS_CONTROL_ACCESS
ACE
Trustee : NT AUTHORITY\SELF
Ace Type Flags : ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType : Send As
Ace Type : ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
Ace Flag : 0
Access Mask : 256
ADS_RIGHT_DS_CONTROL_ACCESS
ACE
Trustee : NT AUTHORITY\SELF
Ace Type Flags : ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType : Receive As
Ace Type : ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
Ace Flag : 0
Access Mask : 256
ADS_RIGHT_DS_CONTROL_ACCESS
<SNIPPAGE>
Here is the script
#***********************************************************************
*****************
#* PerlChkSec.PL
*
#*======================================================================
================*
#* Author : Joe Richards [EMAIL PROTECTED]
*
#* Version: V01.00.00
*
#* Modification History:
*
#* V01.00.00 2002.06.06 JRICHA34 Original Version
*
#*----------------------------------------------------------------------
----------------*
#* This file reads AD Object ACL's
*
#*----------------------------------------------------------------------
----------------*
#* Notes:
*
#***********************************************************************
*****************
#***********************************************************************
*****************
#***********************************************************************
***
#AccessMask constants
#***********************************************************************
***
$ADS_RIGHT_GENERIC_READ = 0x80000000;
$ADS_RIGHT_GENERIC_WRITE = 0x40000000;
$ADS_RIGHT_GENERIC_EXECUTE = 0x20000000;
$ADS_RIGHT_GENERIC_ALL = 0x10000000;
$ADS_RIGHT_SYSTEM_SECURITY = 0x1000000;
$ADS_RIGHT_SYNCHRONIZE = 0x100000;
$ADS_RIGHT_WRITE_OWNER = 0x80000;
$ADS_RIGHT_WRITE_DAC = 0x40000;
$ADS_RIGHT_READ_CONTROL = 0x20000;
$ADS_RIGHT_DELETE = 0x10000;
$ADS_RIGHT_DS_CONTROL_ACCESS = 0x100;
$ADS_RIGHT_DS_LIST_OBJECT = 0x80;
$ADS_RIGHT_DS_DELETE_TREE = 0x40;
$ADS_RIGHT_DS_WRITE_PROP = 0x20;
$ADS_RIGHT_DS_READ_PROP = 0x10;
$ADS_RIGHT_DS_SELF = 0x8;
$ADS_RIGHT_ACTRL_DS_LIST = 0x4;
$ADS_RIGHT_DS_DELETE_CHILD = 0x2;
$ADS_RIGHT_DS_CREATE_CHILD = 0x1;
$FULL_CONTROL = -1; # This isn't right...
#***********************************************************************
***
#AceType constants
#***********************************************************************
***
$ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 0x8;
$ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 0x7;
$ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6;
$ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5;
$ADS_ACETYPE_SYSTEM_AUDIT = 0x2;
$ADS_ACETYPE_ACCESS_DENIED = 0x1;
$ADS_ACETYPE_ACCESS_ALLOWED = 0x0;
#***********************************************************************
***
#AceFlags constants
#***********************************************************************
***
$ADS_ACEFLAG_FAILED_ACCESS = 0x80;
$ADS_ACEFLAG_SUCCESSFUL_ACCESS = 0x40;
$ADS_ACEFLAG_VALID_INHERIT_FLAGS = 0x1F;
$ADS_ACEFLAG_INHERITED_ACE = 0x10;
$ADS_ACEFLAG_INHERIT_ONLY_ACE = 0x8;
$ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = 0x4;
$ADS_ACEFLAG_INHERIT_ACE = 0x2;
#***********************************************************************
***
#Security Descriptor constants
#***********************************************************************
***
$ADS_SD_CONTROL_SE_OWNER_DEFAULTED = 0x1;
$ADS_SD_CONTROL_SE_GROUP_DEFAULTED = 0x2;
$ADS_SD_CONTROL_SE_DACL_PRESENT = 0x4;
$ADS_SD_CONTROL_SE_DACL_DEFAULTED = 0x8;
$ADS_SD_CONTROL_SE_SACL_PRESENT = 0x10;
$ADS_SD_CONTROL_SE_SACL_DEFAULTED = 0x20;
$ADS_SD_CONTROL_SE_DACL_AUTO_INHERIT_REQ = 0x100;
$ADS_SD_CONTROL_SE_SACL_AUTO_INHERIT_REQ = 0x200;
$ADS_SD_CONTROL_SE_DACL_AUTO_INHERITED = 0x400;
$ADS_SD_CONTROL_SE_SACL_AUTO_INHERITED = 0x800;
$ADS_SD_CONTROL_SE_DACL_PROTECTED = 0x1000;
$ADS_SD_CONTROL_SE_SACL_PROTECTED = 0x2000;
#***********************************************************************
***
#Flags constants
#***********************************************************************
***
$ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = 0x2;
$ADS_FLAG_OBJECT_TYPE_PRESENT = 0x1;
#***********************************************************************
***
#MAIN
#***********************************************************************
***
use Win32::OLE;
use Win32::OLE::Enum;
%schemaids=();
%propertysetids=();
$debug=0;
$verbose=0;
print "\nPerlChkSec V01.00.00pl Joe Richards ([EMAIL PROTECTED]) June
2002\n\n";
$obj=shift;
if (grep(/\/debug/i,@ARGV))
{
$debug=1;
}
if (grep(/\/verbose/i,@ARGV))
{
$verbose=1;
}
if ($debug) {print "Debugging enabled...\n"};
if (!$obj)
{
print "Usage PerlChkSec RFC1779_Object_Name\n";
exit;
}
$adsrootdse=Win32::OLE->GetObject("LDAP://RootDse";) or die("RootDSE:
$!\n");
$dnshostname=$adsrootdse->Get("dnsHostName");
$SchemaPath=$adsrootdse->Get("schemaNamingContext");
$ConfigurationPath=$adsrootdse->Get("configurationNamingContext");
$adobject = "LDAP://$obj";;
$oComputer = Win32::OLE->GetObject($adobject) or die("Couldn't bind to
$adobject\n");
$sd = $oComputer->ntSecurityDescriptor;
$control=$sd->Control;
print "Control : $control\n";
if ($control & $ADS_SD_CONTROL_SE_OWNER_DEFAULTED) {print
"\t\t\tADS_SD_CONTROL_SE_OWNER_DEFAULTED\n"};
if ($control & $ADS_SD_CONTROL_SE_GROUP_DEFAULTED) {print
"\t\t\tADS_SD_CONTROL_SE_GROUP_DEFAULTED\n"};
if ($control & $ADS_SD_CONTROL_SE_DACL_PRESENT) {print
"\t\t\tADS_SD_CONTROL_SE_DACL_PRESENT\n"};
if ($control & $ADS_SD_CONTROL_SE_DACL_DEFAULTED) {print
"\t\t\tADS_SD_CONTROL_SE_DACL_DEFAULTED\n"};
if ($control & $ADS_SD_CONTROL_SE_SACL_PRESENT) {print
"\t\t\tADS_SD_CONTROL_SE_SACL_PRESENT\n"};
if ($control & $ADS_SD_CONTROL_SE_SACL_DEFAULTED) {print
"\t\t\tADS_SD_CONTROL_SE_SACL_DEFAULTED\n"};
if ($control & $ADS_SD_CONTROL_SE_DACL_AUTO_INHERIT_REQ) {print
"\t\t\tADS_SD_CONTROL_SE_DACL_AUTO_INHERIT_REQ\n"};
if ($control & $ADS_SD_CONTROL_SE_SACL_AUTO_INHERIT_REQ) {print
"\t\t\tADS_SD_CONTROL_SE_SACL_AUTO_INHERIT_REQ\n"};
if ($control & $ADS_SD_CONTROL_SE_DACL_AUTO_INHERITED) {print
"\t\t\tADS_SD_CONTROL_SE_DACL_AUTO_INHERITED\n"};
if ($control & $ADS_SD_CONTROL_SE_SACL_AUTO_INHERITED) {print
"\t\t\tADS_SD_CONTROL_SE_SACL_AUTO_INHERITED\n"};
if ($control & $ADS_SD_CONTROL_SE_DACL_PROTECTED) {print
"\t\t\tADS_SD_CONTROL_SE_DACL_PROTECTED\n"};
if ($control & $ADS_SD_CONTROL_SE_SACL_PROTECTED) {print
"\t\t\tADS_SD_CONTROL_SE_SACL_PROTECTED\n"};
print "Group : ",$sd->Group,"\n";
print "Owner : ",$sd->Owner,"\n";
print "Default Owner : ",$sd->OwnerDefaulted,"\n";
print "Revision : ",$sd->Revision,"\n";
$dACL = $sd->DiscretionaryAcl;
$dACLEnum = Win32::OLE::Enum->new($dACL);
while ($ace=$dACLEnum->Next)
{
print " ACE\n";
print " Trustee : ";
$trustee=$ace->trustee;
if ($trustee=~/s-\d+-\d+/i)
{
@output=`sidtoname $trustee $dnshostname 2>&1`;
chomp @output;
$o=$output[0];
if ($o ne "\\") {$trustee="[$o]"};
if ($verbose) {$trustee="(".$ace->trustee.") - $trustee"};
}
print "$trustee\n";
$AceFlags = $ace->Flags;
if ($AceFlags & $ADS_FLAG_OBJECT_TYPE_PRESENT)
{
print " Ace Type Flags : ADS_FLAG_OBJECT_TYPE_PRESENT\n";
$ObjectType=GetObjectType($ace->ObjectType);
if ($verbose) {$ObjectType="(".$ace->ObjectType.") - $ObjectType"};
print " ObjectType : $ObjectType\n";
}
if ($AceFlags & $ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT)
{
print " Ace Type Flags :
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT\n";
$InheritedObjectType=GetObjectType($ace->InheritedObjectType);
if ($verbose) {$InheritedObjectType="(".$ace->InheritedObjectType.")
- $InheritedObjectType"};
print " ObjectType : $InheritedObjectType\n";
}
$AceType = $ace->AceType;
if ($AceType == $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT)
{$acestring="ADS_ACETYPE_ACCESS_ALLOWED_OBJECT"}
elsif ($AceType == $ADS_ACETYPE_ACCESS_DENIED_OBJECT)
{$acestring="ADS_ACETYPE_ACCESS_DENIED_OBJECT"}
elsif ($AceType == $ADS_ACETYPE_ACCESS_ALLOWED)
{$acestring="ADS_ACETYPE_ACCESS_ALLOWED"}
elsif ($AceType = $ADS_ACETYPE_ACCESS_DENIED)
{$acestring="ADS_ACETYPE_ACCESS_DENIED"}
else
{$acestring="UNKNOWN TYPE: $AceType\n"};
if ($verbose) {$acestring="(".$AceType.") - $acestring"};
print " Ace Type : $acestring\n";
$aceflags=$ace->aceflags;
print " Ace Flag : $aceflags\n";
if ($aceflags & $ADS_ACEFLAG_FAILED_ACCESS) {print
"\t\t\t\tADS_ACEFLAG_FAILED_ACCESS\n"};
if ($aceflags & $ADS_ACEFLAG_SUCCESSFUL_ACCESS) {print
"\t\t\t\tADS_ACEFLAG_SUCCESSFUL_ACCESS\n"};
if ($aceflags & $ADS_ACEFLAG_VALID_INHERIT_FLAGS) {print
"\t\t\t\tADS_ACEFLAG_VALID_INHERIT_FLAGS\n"};
if ($aceflags & $ADS_ACEFLAG_INHERITED_ACE) {print
"\t\t\t\tADS_ACEFLAG_INHERITED_ACE\n"};
if ($aceflags & $ADS_ACEFLAG_INHERIT_ONLY_ACE) {print
"\t\t\t\tADS_ACEFLAG_INHERIT_ONLY_ACE\n"};
if ($aceflags & $ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE) {print
"\t\t\t\tADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE\n"};
if ($aceflags & $ADS_ACEFLAG_INHERIT_ACE) {print
"\t\t\t\tADS_ACEFLAG_INHERIT_ACE\n"};
$lmask=$ace->accessmask;
print " Access Mask : $lmask\n";
if ($lmask == $FULL_CONTROL) {print "\t\t\tFULL_CONTROL\n"};
if ($lmask & $ADS_RIGHT_GENERIC_READ) {print
"\t\t\t\tADS_RIGHT_GENERIC_READ\n"};
if ($lmask & $ADS_RIGHT_GENERIC_WRITE) {print
"\t\t\t\tADS_RIGHT_GENERIC_WRITE\n"};
if ($lmask & $ADS_RIGHT_GENERIC_EXECUTE) {print
"\t\t\t\tADS_RIGHT_GENERIC_EXECUTE\n"};
if ($lmask & $ADS_RIGHT_GENERIC_ALL) {print
"\t\t\t\tADS_RIGHT_GENERIC_ALL\n"};
if ($lmask & $ADS_RIGHT_SYSTEM_SECURITY) {print
"\t\t\t\tADS_RIGHT_SYSTEM_SECURITY\n"};
if ($lmask & $ADS_RIGHT_SYNCHRONIZE) {print
"\t\t\t\tADS_RIGHT_SYNCHRONIZE\n"};
if ($lmask & $ADS_RIGHT_WRITE_OWNER) {print
"\t\t\t\tADS_RIGHT_WRITE_OWNER\n"};
if ($lmask & $ADS_RIGHT_WRITE_DAC) {print
"\t\t\t\tADS_RIGHT_WRITE_DAC\n"};
if ($lmask & $ADS_RIGHT_READ_CONTROL) {print
"\t\t\t\tADS_RIGHT_READ_CONTROL\n"};
if ($lmask & $ADS_RIGHT_DELETE) {print "\t\t\t\tADS_RIGHT_DELETE\n"};
if ($lmask & $ADS_RIGHT_DS_CONTROL_ACCESS) {print
"\t\t\t\tADS_RIGHT_DS_CONTROL_ACCESS\n"};
if ($lmask & $ADS_RIGHT_DS_LIST_OBJECT) {print
"\t\t\t\tADS_RIGHT_DS_LIST_OBJECT\n"};
if ($lmask & $ADS_RIGHT_DS_DELETE_TREE) {print
"\t\t\t\tADS_RIGHT_DS_DELETE_TREE\n"};
if ($lmask & $ADS_RIGHT_DS_WRITE_PROP) {print
"\t\t\t\tADS_RIGHT_DS_WRITE_PROP\n"};
if ($lmask & $ADS_RIGHT_DS_READ_PROP) {print
"\t\t\t\tADS_RIGHT_DS_READ_PROP\n"};
if ($lmask & $ADS_RIGHT_DS_SELF) {print
"\t\t\t\tADS_RIGHT_DS_SELF\n"};
if ($lmask & $ADS_RIGHT_ACTRL_DS_LIST) {print
"\t\t\t\tADS_RIGHT_ACTRL_DS_LIST\n"};
if ($lmask & $ADS_RIGHT_DS_DELETE_CHILD) {print
"\t\t\t\tADS_RIGHT_DS_DELETE_CHILD\n"};
if ($lmask & $ADS_RIGHT_DS_CREATE_CHILD) {print
"\t\t\t\tADS_RIGHT_DS_CREATE_CHILD\n"};
}
sub GetObjectType
{
$ot=shift;
if ($ot!~/\w/) {return ""};
$origot=$ot;
if (!$schemaids{LOADED}) {LoadSchema()};
$ot=~s/[-{}]//ig;
$ot=lc($ot);
$value=$schemaids{$ot};
if (!$value) {$value=$propertysetids{$ot}};
if (!$value)
{
print "****COULDN'T RESOLVE --- $ot\n";
return "UNRESOLVEABLE: $origot";
}
return $value;
}
sub LoadSchema
{
$currentdisplayname="";
$currentschemaid="";
@output=`adfind -q -b $SchemaPath -s onelevel -f schemaidguid=*
schemaidguid ldapdisplayname 2>&1`;
chomp @output;
foreach $thisline (@output)
{
next unless $thisline=~/\w/;
next if $thisline=~/using server/i;
next if $thisline=~/objects returned/i;
if ($thisline=~/^dn:/i)
{
if ($currentdisplayname)
{
$currentschemaid=~s/[-{}]//ig;
$schemaids{lc($currentschemaid)}=$currentdisplayname;
$currentschemaid="";
$currentdisplayname="";
}
}
if ($thisline=~/^>ldapdisplayname: (.+)/i) {$currentdisplayname=$1};
if ($thisline=~/^>schemaidguid: (.+)/i) {$currentschemaid=$1};
}
if ($currentdisplayname)
{
$currentschemaid=~s/[-{}]//ig;
$schemaids{lc($currentschemaid)}=$currentdisplayname;
$currentschemaid="";
$currentdisplayname="";
}
$schemaids{LOADED}=1;
#
# Now load property set GUIDs
#
$currentdisplayname="";
$currentrightsid="";
@output=`adfind -q -b CN=Extended-Rights,$ConfigurationPath -s
onelevel -f rightsguid=* rightsguid displayname 2>&1`;
chomp @output;
foreach $thisline (@output)
{
next unless $thisline=~/\w/;
next if $thisline=~/using server/i;
next if $thisline=~/objects returned/i;
if ($thisline=~/^dn:/i)
{
if ($currentdisplayname)
{
$currentrightsid=~s/[-{}]//ig;
$propertysetids{lc($currentrightsid)}=$currentdisplayname;
$currentrightsid="";
$currentdisplayname="";
}
}
if ($thisline=~/^>displayname: (.+)/i) {$currentdisplayname=$1};
if ($thisline=~/^>rightsguid: (.+)/i) {$currentrightsid=$1};
}
if ($currentdisplayname)
{
$currentrightsid=~s/[-{}]//ig;
$propertysetids{lc($currentrightsid)}=$currentdisplayname;
$currentrightsid="";
$currentdisplayname="";
}
# foreach (sort keys %propertysetids) {print
"$_\t$propertysetids{$_}\n"};
}
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Sunday, August 17, 2003 2:19 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Scripting ACEs
Thanks heaps for the information. I'll dig around for your script or a
VBS version that I seem to recall seeing a while ago.
Good luck with your entropy experiment :-)
Hunter
-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 8:42 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Scripting ACEs
The way ACE's work you should have two ACE's either way, it is simply
how the GUI is interpreting. If you look at the ACE and ACL structures
in MSDN you will see that each ace can only have a single Principal,
access type, and attribute specified. More than likely the way the ACE's
are being ordered when the GUI does it matches a profile it sets up for
decoding them. If you do it from the GUI and then dump from a script you
should be able to duplicate the ordering if that is what you would like
to do. I believe I posted a perl script to ms.public.adsi.general once
or twice that will dump out the ACE's for the ACL of an object
specifically to help determine the ACE's and ordering put together by
the GUI. Google that group for it if you want it, otherwise you can send
me a separate email and I will try to go dig it up at some point for
you. I am a bit in a disarray right now as I we just went through the
power outage plus I am in the middle of moving and at work am buried in
E2K "stuff". I don't know where anything is right now. :op
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, August 14, 2003 12:44 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Scripting ACEs
I'm seeing a discrepancy between setting ACEs through the GUI (Security
tab on an object) and setting them through a script. If I go into the
Security Tab on an OU and set a Deny ACE for some global group on
"Change Password" and "Reset Password" for User objects, I end up with a
single Deny ACE for those two operations. However, if I script it, I
seem to end up with two Deny ACEs, one for "Change Password" and a
second, separate one for "Reset Password."
I'm only setting a single objectType on the scripted ACE at this point,
and having to repeat that code to set the second objectType. Is there a
way to specify multiple objectTypes, or am I stuck with a larger DACL if
I script the ACEs?
Thanks,
Hunter
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
