Yes, it's posted http://www.rallenhome.com/books/adcookbook/src/PerlChkSec.pls.txt
Thanks for the tip. I guess I'm gonna have to break down
and install Perl.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe
Sent: Tuesday, March 16, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscript
Sent: Tuesday, March 16, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscript
You know, I think Robbie might have posted that perl script
mentioned below on his site as well under the Cookbook scripts
link.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 16, 2004 10:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscript
Ok, those are AD permission changes, in the config
container. You will be manipulating the actual AD sd, not any special exchange
sd's, at least I am pretty sure, never dorked with them personally but play a
guy on TV who does....
I will scrub the script for full mailbox access and
post it.
Also go back in time and look for a perl script I
posted here for how to retrieve the binary values for ACLs. You can capture what
an ACL looks like on an object you want to change, manually do one by hand your
normal way, then recheck what the binary values are so you can script the
change. It is how I tend to do it.
I will also look for some code that does generic AD
changes so you can see that. It is really fairly easy once you know what values
to stick in.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 16, 2004 9:54 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscript
Thanks for the link...
In regards to Exchange, I specifically want to be able
to:
a) change the permissions on the "All Address Lists"
object,
b) create a new address list,
c) change the default permissions on the new address
list,
d) change the permissions on the "All Global Address Lists"
object,
e) create a new GAL, and
f) change the default permissions on the new
GAL
(b) and (e) aren't within the scope of this particular
question. :-)
I've got (b) and (e) mapped out, but not written.
If you have working code --- that would be great to know.
:-)
I typically perform these actions from a mixture of
ESM and ADSIedit (some of the permissions are not exposed within
ESM).
A script to allow full mailbox access would be WONDERFUL.
That's another thing I do manually.
Thanks very much,
Michael
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 16, 2004 9:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscript
First off let me start with a quick
link...
This describes the main interface you will
use...
Now that being said... You have to be careful with what you
are saying when you say Exchange permissions. Do you mean overall mailbox
permissions or do you mean folder roles. They are entirely different. For
instance a mailbox permission would allow you to say log into the mailbox with a
specific ID directly, say like admin access to someone else's mailbox. A folder
role allows someone access (Editor/Owner/Reviewer/Etc) to specific folders
within a mailbox. If you are doing your perm setting from the advanced exchange
tab of DSA.MSC, that is mailbox perms. If doing it from within outlook, that is
folder roles.
Here is a little quick and dirty script I can post right
now for enumerating a mailbox ACL (mailbox perms). I will see if I can post my
script that does mailbox mods to allow someone else full mailbox access. However
I will have to scrub some info out of it first. If you actually mean folder
roles, let me know as I have some stuff for doing that as well.
Const ACE_MB_FULL_ACCESS = &h1
Const ACE_MB_ASSOC_EXT_ACCT = &h4 ' This was from stucki and was 5, really should be 4
Const ACE_MB_DELETE_STORAGE = &h10000 ' ADS_RIGHT_DELETE
Const ACE_MB_READ_PERMISSIONS = &h20000 ' ADS_RIGHT_READ_CONTROL
Const ACE_MB_CHANGE_PERMISSIONS = &h40000 ' ADS_RIGHT_WRITE_DAC
Const ACE_MB_TAKE_OWNERSHIP = &h80000 ' ADS_RIGHT_WRITE_OWNER
Const ACE_MB_SYNCRONIZE=&h100000 ' ADS_RIGHT_SYNCHRONIZE
Const ACE_MB_ASSOC_EXT_ACCT = &h4 ' This was from stucki and was 5, really should be 4
Const ACE_MB_DELETE_STORAGE = &h10000 ' ADS_RIGHT_DELETE
Const ACE_MB_READ_PERMISSIONS = &h20000 ' ADS_RIGHT_READ_CONTROL
Const ACE_MB_CHANGE_PERMISSIONS = &h40000 ' ADS_RIGHT_WRITE_DAC
Const ACE_MB_TAKE_OWNERSHIP = &h80000 ' ADS_RIGHT_WRITE_OWNER
Const ACE_MB_SYNCRONIZE=&h100000 ' ADS_RIGHT_SYNCHRONIZE
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACETYPE_SYSTEM_AUDIT = 2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACETYPE_SYSTEM_AUDIT = 2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8
'Const ADS_ACEFLAG_INHERIT_ACE =
2 ' This one is wrong - from KB
Q310866
Const ADS_ACEFLAG_INHERIT_ACE = 16
Const ADS_ACEFLAG_INHERIT_ACE = 16
userdn=wscript.arguments.item(0)
' Get directory user object.
Set objUser = GetObject("LDAP://" & userdn)
Set objUser = GetObject("LDAP://" & userdn)
' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights
Set oSecurityDescriptor = objUser.MailboxRights
' Extract the discretionary access control list (ACL) by
using the IADsSecurityDescriptor.
' Interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl
' Interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates how to read all the ACEs on a
' DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
wscript.echo "Here are the existing ACEs in the mailbox's DACL:"
' The following block of code demonstrates how to read all the ACEs on a
' DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
wscript.echo "Here are the existing ACEs in the mailbox's DACL:"
' Enumerate all the access control entries (ACEs) in the
ACL using the IADsAccessControlList.
' Interface, therefore, displaying the current mailbox rights.
wscript.echo "Trustee, AccessMask, Access Desc, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
wscript.echo "------- ---------- ----------- ------- -------- ----- ---------- -------------------"
wscript.echo
' Interface, therefore, displaying the current mailbox rights.
wscript.echo "Trustee, AccessMask, Access Desc, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
wscript.echo "------- ---------- ----------- ------- -------- ----- ---------- -------------------"
wscript.echo
For Each ace In dacl
accessstr=""
accessmask=ace.AccessMask
leftoveram=accessmask
if (accessmask AND ACE_MB_FULL_ACCESS)=ACE_MB_FULL_ACCESS then
accessstr=accessstr+"FC;"
leftoveram=leftoveram-ACE_MB_FULL_ACCESS
end if
if (accessmask AND ACE_MB_ASSOC_EXT_ACCT)=ACE_MB_ASSOC_EXT_ACCT then
accessstr=accessstr+"ASSOC_EXT;"
leftoveram=leftoveram-ACE_MB_ASSOC_EXT_ACCT
end if
if (accessmask AND ACE_MB_DELETE_STORAGE)=ACE_MB_DELETE_STORAGE then
accessstr=accessstr+"DELETE_STORAGE;"
leftoveram=leftoveram-ACE_MB_DELETE_STORAGE
end if
if (accessmask AND ACE_MB_READ_PERMISSIONS)=ACE_MB_READ_PERMISSIONS then
accessstr=accessstr+"READ;"
leftoveram=leftoveram-ACE_MB_READ_PERMISSIONS
end if
if (accessmask AND ACE_MB_CHANGE_PERMISSIONS)=ACE_MB_CHANGE_PERMISSIONS then
accessstr=accessstr+"CHANGE;"
leftoveram=leftoveram-ACE_MB_CHANGE_PERMISSIONS
end if
if (accessmask AND ACE_MB_TAKE_OWNERSHIP)=ACE_MB_TAKE_OWNERSHIP then
accessstr=accessstr+"TAKE_OWNERSHIP;"
leftoveram=leftoveram-ACE_MB_TAKE_OWNERSHIP
end if
if (accessmask AND ACE_MB_SYNCRONIZE)=ACE_MB_SYNCRONIZE then
accessstr=accessstr+"SYNC;"
leftoveram=leftoveram-ACE_MB_SYNCRONIZE
end if
acetypestr=""
acetype=ace.AceType
select case acetype
case ADS_ACETYPE_ACCESS_ALLOWED:
acetypestr="GRANT"
case ADS_ACETYPE_ACCESS_DENIED:
acetypestr="DENY"
end select
accessstr=""
accessmask=ace.AccessMask
leftoveram=accessmask
if (accessmask AND ACE_MB_FULL_ACCESS)=ACE_MB_FULL_ACCESS then
accessstr=accessstr+"FC;"
leftoveram=leftoveram-ACE_MB_FULL_ACCESS
end if
if (accessmask AND ACE_MB_ASSOC_EXT_ACCT)=ACE_MB_ASSOC_EXT_ACCT then
accessstr=accessstr+"ASSOC_EXT;"
leftoveram=leftoveram-ACE_MB_ASSOC_EXT_ACCT
end if
if (accessmask AND ACE_MB_DELETE_STORAGE)=ACE_MB_DELETE_STORAGE then
accessstr=accessstr+"DELETE_STORAGE;"
leftoveram=leftoveram-ACE_MB_DELETE_STORAGE
end if
if (accessmask AND ACE_MB_READ_PERMISSIONS)=ACE_MB_READ_PERMISSIONS then
accessstr=accessstr+"READ;"
leftoveram=leftoveram-ACE_MB_READ_PERMISSIONS
end if
if (accessmask AND ACE_MB_CHANGE_PERMISSIONS)=ACE_MB_CHANGE_PERMISSIONS then
accessstr=accessstr+"CHANGE;"
leftoveram=leftoveram-ACE_MB_CHANGE_PERMISSIONS
end if
if (accessmask AND ACE_MB_TAKE_OWNERSHIP)=ACE_MB_TAKE_OWNERSHIP then
accessstr=accessstr+"TAKE_OWNERSHIP;"
leftoveram=leftoveram-ACE_MB_TAKE_OWNERSHIP
end if
if (accessmask AND ACE_MB_SYNCRONIZE)=ACE_MB_SYNCRONIZE then
accessstr=accessstr+"SYNC;"
leftoveram=leftoveram-ACE_MB_SYNCRONIZE
end if
acetypestr=""
acetype=ace.AceType
select case acetype
case ADS_ACETYPE_ACCESS_ALLOWED:
acetypestr="GRANT"
case ADS_ACETYPE_ACCESS_DENIED:
acetypestr="DENY"
end select
aceflagstr="EXPLICIT"
aceflags=ace.AceFlags
if (aceflags AND ADS_ACEFLAG_INHERIT_ACE)=ADS_ACEFLAG_INHERIT_ACE then aceflagstr="INHERITED"
aceflags=ace.AceFlags
if (aceflags AND ADS_ACEFLAG_INHERIT_ACE)=ADS_ACEFLAG_INHERIT_ACE then aceflagstr="INHERITED"
if leftoveram>0 then wscript.echo
"----------WARNING----------- All ACE's not decoded on next line"
' Display all the properties of the ACEs by using the IADsAccessControlEntry interface.
wscript.echo ace.Trustee & ", " & accessmask & "/" & leftoveram & ", " & accessstr & ","& acetype &" ("&acetypestr & "), " & aceflags & "(" & aceflagstr & "), " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
Next
' Display all the properties of the ACEs by using the IADsAccessControlEntry interface.
wscript.echo ace.Trustee & ", " & accessmask & "/" & leftoveram & ", " & accessstr & ","& acetype &" ("&acetypestr & "), " & aceflags & "(" & aceflagstr & "), " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
Next
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 16, 2004 8:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Changing ACLs via VBscript
I need to change
both file ACLs and Exchange permissions within vbscript (for Windows 2000 and
2003, and Exchange 2000 and 2003).
I know how to do
everything I want manually, but the GUI is too slow and error prone for the
volume I've got going on...
I've been unable to
find a website that discusses doing this, or any online resources to really
help.
Does anyone have any
suggestions, either online or books?
Thanks.
