RE: [ActiveDir] Changing ACLs via VBscript

Tue, 16 Mar 2004 06:35:41 -0800

First off let me start with a quick link...
 
http://msdn.microsoft.com/library/default.asp?url="">
 
This describes the main interface you will use...
 
Now that being said... You have to be careful with what you are saying when you say Exchange permissions. Do you mean overall mailbox permissions or do you mean folder roles. They are entirely different. For instance a mailbox permission would allow you to say log into the mailbox with a specific ID directly, say like admin access to someone else's mailbox. A folder role allows someone access (Editor/Owner/Reviewer/Etc) to specific folders within a mailbox. If you are doing your perm setting from the advanced exchange tab of DSA.MSC, that is mailbox perms. If doing it from within outlook, that is folder roles.
 
Here is a little quick and dirty script I can post right now for enumerating a mailbox ACL (mailbox perms). I will see if I can post my script that does mailbox mods to allow someone else full mailbox access. However I will have to scrub some info out of it first. If you actually mean folder roles, let me know as I have some stuff for doing that as well.
 
 
 
 
Const ACE_MB_FULL_ACCESS = &h1
Const ACE_MB_ASSOC_EXT_ACCT = &h4             ' This was from stucki and was 5, really should be 4
Const ACE_MB_DELETE_STORAGE = &h10000         ' ADS_RIGHT_DELETE
Const ACE_MB_READ_PERMISSIONS = &h20000       ' ADS_RIGHT_READ_CONTROL
Const ACE_MB_CHANGE_PERMISSIONS = &h40000     ' ADS_RIGHT_WRITE_DAC
Const ACE_MB_TAKE_OWNERSHIP = &h80000         ' ADS_RIGHT_WRITE_OWNER
Const ACE_MB_SYNCRONIZE=&h100000              ' ADS_RIGHT_SYNCHRONIZE
 
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACETYPE_SYSTEM_AUDIT = 2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
 
'Const ADS_ACEFLAG_INHERIT_ACE = 2        ' This one is wrong - from KB Q310866
Const ADS_ACEFLAG_INHERIT_ACE = 16
 

 
 
userdn=wscript.arguments.item(0)
 
' Get directory user object.
Set objUser = GetObject("LDAP://" & userdn)
 
' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights
 
' Extract the discretionary access control list (ACL) by using the IADsSecurityDescriptor.
' Interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl
 
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'  The following block of code demonstrates how to read all the ACEs on a
'  DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
wscript.echo "Here are the existing ACEs in the mailbox's DACL:"
 
' Enumerate all the access control entries (ACEs) in the ACL using the IADsAccessControlList.
' Interface, therefore, displaying the current mailbox rights.
wscript.echo "Trustee, AccessMask, Access Desc, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
wscript.echo "-------  ----------  -----------  -------  --------  -----  ----------  -------------------"
wscript.echo
 
For Each ace In dacl
  accessstr=""
  accessmask=ace.AccessMask
  leftoveram=accessmask
  if (accessmask AND ACE_MB_FULL_ACCESS)=ACE_MB_FULL_ACCESS then
    accessstr=accessstr+"FC;"
    leftoveram=leftoveram-ACE_MB_FULL_ACCESS
  end if
  if (accessmask AND ACE_MB_ASSOC_EXT_ACCT)=ACE_MB_ASSOC_EXT_ACCT then
    accessstr=accessstr+"ASSOC_EXT;"
    leftoveram=leftoveram-ACE_MB_ASSOC_EXT_ACCT
  end if
  if (accessmask AND ACE_MB_DELETE_STORAGE)=ACE_MB_DELETE_STORAGE then
    accessstr=accessstr+"DELETE_STORAGE;"
    leftoveram=leftoveram-ACE_MB_DELETE_STORAGE
  end if
  if (accessmask AND ACE_MB_READ_PERMISSIONS)=ACE_MB_READ_PERMISSIONS then
    accessstr=accessstr+"READ;"
    leftoveram=leftoveram-ACE_MB_READ_PERMISSIONS
  end if
  if (accessmask AND ACE_MB_CHANGE_PERMISSIONS)=ACE_MB_CHANGE_PERMISSIONS then
    accessstr=accessstr+"CHANGE;"
    leftoveram=leftoveram-ACE_MB_CHANGE_PERMISSIONS
  end if
  if (accessmask AND ACE_MB_TAKE_OWNERSHIP)=ACE_MB_TAKE_OWNERSHIP then
    accessstr=accessstr+"TAKE_OWNERSHIP;"
    leftoveram=leftoveram-ACE_MB_TAKE_OWNERSHIP
  end if
  if (accessmask AND ACE_MB_SYNCRONIZE)=ACE_MB_SYNCRONIZE then
    accessstr=accessstr+"SYNC;"
    leftoveram=leftoveram-ACE_MB_SYNCRONIZE
  end if
  acetypestr=""
  acetype=ace.AceType
  select case acetype
    case ADS_ACETYPE_ACCESS_ALLOWED:
      acetypestr="GRANT"
    case ADS_ACETYPE_ACCESS_DENIED:
      acetypestr="DENY"
  end select
 
  aceflagstr="EXPLICIT"
  aceflags=ace.AceFlags
  if (aceflags AND ADS_ACEFLAG_INHERIT_ACE)=ADS_ACEFLAG_INHERIT_ACE then aceflagstr="INHERITED"
 
  if leftoveram>0 then wscript.echo "----------WARNING----------- All ACE's not decoded on next line"
' Display all the properties of the ACEs by using the IADsAccessControlEntry interface.
  wscript.echo ace.Trustee & ", " & accessmask & "/" & leftoveram & ", " & accessstr & ","& acetype &" ("&acetypestr & "), " & aceflags & "(" & aceflagstr & "), " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
Next
 
 
 
-------------
http://www.joeware.net   (download joeware)
http://www.cafeshops.com/joewarenet  (wear joeware)
 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 16, 2004 8:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Changing ACLs via VBscript

I need to change both file ACLs and Exchange permissions within vbscript (for Windows 2000 and 2003, and Exchange 2000 and 2003).
 
I know how to do everything I want manually, but the GUI is too slow and error prone for the volume I've got going on...
 
I've been unable to find a website that discusses doing this, or any online resources to really help.
 
Does anyone have any suggestions, either online or books?
 
Thanks.
 

Reply via email to