"They also have fun stuff for obfuscating your scripts so it is tough
for people to read them. I have seen packages that turn your script into
piglatin, morse code, semi-random gibberesh, and the scripts still run fine.
"
You're kidding, right? I've seen well versed perl programmers look at
code and go "WTF?!?!?!?!" Why would one want to obfuscate that
more?
--------------------------------------------------------------
Roger D. Seielstad -
MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Friday, March 19, 2004 10:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptYou will like perl... I am a c guy myself. The first time I picked up K&R I sat there going "of course" "of course" "of course" "of course" through the whole book. I had a precursor to that though that made it work so well for me... DEC Macro Assembler on a DEC PDP11 (34 and 84). Little things like the ++ came right straight from commands built into the Macro Assembler and DEC instructions. Actually if I could find my old Macro Asm stuff you would find macros/functions that I had written that made my ASM code very c-like before I actually saw c.Think of perl as c with really good string manipulation. It is actually easier than c and you don't tend to get bitten as easily nor as hard. And if you want, it isn't too bad to extend perl with c compiled code so if you have that 'thing" you just have to do in c, you can do it, and call it from perl.Probably the biggest gripe I have against perl that I liked in c was you ALWAYS have to enclose statement blocks in perl, where in c it was only good form. ;o)I.E.In perlif (some condition) {some action};in cif (some condition) some action;If you reverse it the biggest gripe I have against c is that perl has AWESOME regular _expression_ functionality. At first REGEX's scare people. Once you get into them you have a hard time doing without. They have some regex libraries for c but I haven't seen one I really liked yet, not as transparent as perl's regex capability. I missed the HASH (Associative Array) as well until I started getting decent with the STL map<string,string>.If you use the STL a lot then you will also like perl.Give it a try, you will be shocked I think.Oh btw, if you really start liking perl, check out the whole activestate site because they have res kits and gui dev environments and tools for compiling perl code to executable, etc.They also have fun stuff for obfuscating your scripts so it is tough for people to read them. I have seen packages that turn your script into piglatin, morse code, semi-random gibberesh, and the scripts still run fine.Anyone know if I can get on a plane with a backpack and a laptop backpack? If so I don't need to check baggage. It is the MVP backpack (smallish) and a Dell laptop backpack.joe-------------http://www.joeware.net (download joeware)http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, March 19, 2004 9:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptEh, and I wish everything worked with K&R C. :-) 'Twas my primary language for 15 years, and it's still what I "think" in.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of joe
Sent: Friday, March 19, 2004 9:24 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptSee now this is why Microsoft should just install AS Perl by default. I don't want them to buy AS, they can fund them all they want though. I do not want Perl being turned into PerlBasic. I did like Basic at one point... I think that point was 1987 or maybe 1986.-------------http://www.joeware.net (download joeware)http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Friday, March 19, 2004 2:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptYes, it's posted http://www.rallenhome.com/books/adcookbook/src/PerlChkSec.pls.txtThanks for the tip. I guess I'm gonna have to break down and install Perl.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 16, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptYou know, I think Robbie might have posted that perl script mentioned below on his site as well under the Cookbook scripts link.-------------http://www.joeware.net (download joeware)http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 16, 2004 10:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptOk, those are AD permission changes, in the config container. You will be manipulating the actual AD sd, not any special exchange sd's, at least I am pretty sure, never dorked with them personally but play a guy on TV who does....I will scrub the script for full mailbox access and post it.Also go back in time and look for a perl script I posted here for how to retrieve the binary values for ACLs. You can capture what an ACL looks like on an object you want to change, manually do one by hand your normal way, then recheck what the binary values are so you can script the change. It is how I tend to do it.I will also look for some code that does generic AD changes so you can see that. It is really fairly easy once you know what values to stick in.-------------http://www.joeware.net (download joeware)http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 16, 2004 9:54 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptThanks for the link...In regards to Exchange, I specifically want to be able to:a) change the permissions on the "All Address Lists" object,b) create a new address list,c) change the default permissions on the new address list,d) change the permissions on the "All Global Address Lists" object,e) create a new GAL, andf) change the default permissions on the new GAL(b) and (e) aren't within the scope of this particular question. :-)I've got (b) and (e) mapped out, but not written. If you have working code --- that would be great to know. :-)I typically perform these actions from a mixture of ESM and ADSIedit (some of the permissions are not exposed within ESM).A script to allow full mailbox access would be WONDERFUL. That's another thing I do manually.Thanks very much,Michael
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 16, 2004 9:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Changing ACLs via VBscriptFirst off let me start with a quick link...This describes the main interface you will use...Now that being said... You have to be careful with what you are saying when you say Exchange permissions. Do you mean overall mailbox permissions or do you mean folder roles. They are entirely different. For instance a mailbox permission would allow you to say log into the mailbox with a specific ID directly, say like admin access to someone else's mailbox. A folder role allows someone access (Editor/Owner/Reviewer/Etc) to specific folders within a mailbox. If you are doing your perm setting from the advanced exchange tab of DSA.MSC, that is mailbox perms. If doing it from within outlook, that is folder roles.Here is a little quick and dirty script I can post right now for enumerating a mailbox ACL (mailbox perms). I will see if I can post my script that does mailbox mods to allow someone else full mailbox access. However I will have to scrub some info out of it first. If you actually mean folder roles, let me know as I have some stuff for doing that as well.Const ACE_MB_FULL_ACCESS = &h1
Const ACE_MB_ASSOC_EXT_ACCT = &h4 ' This was from stucki and was 5, really should be 4
Const ACE_MB_DELETE_STORAGE = &h10000 ' ADS_RIGHT_DELETE
Const ACE_MB_READ_PERMISSIONS = &h20000 ' ADS_RIGHT_READ_CONTROL
Const ACE_MB_CHANGE_PERMISSIONS = &h40000 ' ADS_RIGHT_WRITE_DAC
Const ACE_MB_TAKE_OWNERSHIP = &h80000 ' ADS_RIGHT_WRITE_OWNER
Const ACE_MB_SYNCRONIZE=&h100000 ' ADS_RIGHT_SYNCHRONIZEConst ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = 1
Const ADS_ACETYPE_SYSTEM_AUDIT = 2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = 6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = 7
Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = 8'Const ADS_ACEFLAG_INHERIT_ACE = 2 ' This one is wrong - from KB Q310866
Const ADS_ACEFLAG_INHERIT_ACE = 16
userdn=wscript.arguments.item(0)' Get directory user object.
Set objUser = GetObject("LDAP://" & userdn)' Get the Mailbox security descriptor (SD).
Set oSecurityDescriptor = objUser.MailboxRights' Extract the discretionary access control list (ACL) by using the IADsSecurityDescriptor.
' Interface
Set dacl = oSecurityDescriptor.DiscretionaryAcl''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
' The following block of code demonstrates how to read all the ACEs on a
' DACL for the Exchange 2000 mailbox.
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
wscript.echo "Here are the existing ACEs in the mailbox's DACL:"' Enumerate all the access control entries (ACEs) in the ACL using the IADsAccessControlList.
' Interface, therefore, displaying the current mailbox rights.
wscript.echo "Trustee, AccessMask, Access Desc, ACEType, ACEFlags, Flags, ObjectType, InheritedObjectType"
wscript.echo "------- ---------- ----------- ------- -------- ----- ---------- -------------------"
wscript.echoFor Each ace In dacl
accessstr=""
accessmask=ace.AccessMask
leftoveram=accessmask
if (accessmask AND ACE_MB_FULL_ACCESS)=ACE_MB_FULL_ACCESS then
accessstr=accessstr+"FC;"
leftoveram=leftoveram-ACE_MB_FULL_ACCESS
end if
if (accessmask AND ACE_MB_ASSOC_EXT_ACCT)=ACE_MB_ASSOC_EXT_ACCT then
accessstr=accessstr+"ASSOC_EXT;"
leftoveram=leftoveram-ACE_MB_ASSOC_EXT_ACCT
end if
if (accessmask AND ACE_MB_DELETE_STORAGE)=ACE_MB_DELETE_STORAGE then
accessstr=accessstr+"DELETE_STORAGE;"
leftoveram=leftoveram-ACE_MB_DELETE_STORAGE
end if
if (accessmask AND ACE_MB_READ_PERMISSIONS)=ACE_MB_READ_PERMISSIONS then
accessstr=accessstr+"READ;"
leftoveram=leftoveram-ACE_MB_READ_PERMISSIONS
end if
if (accessmask AND ACE_MB_CHANGE_PERMISSIONS)=ACE_MB_CHANGE_PERMISSIONS then
accessstr=accessstr+"CHANGE;"
leftoveram=leftoveram-ACE_MB_CHANGE_PERMISSIONS
end if
if (accessmask AND ACE_MB_TAKE_OWNERSHIP)=ACE_MB_TAKE_OWNERSHIP then
accessstr=accessstr+"TAKE_OWNERSHIP;"
leftoveram=leftoveram-ACE_MB_TAKE_OWNERSHIP
end if
if (accessmask AND ACE_MB_SYNCRONIZE)=ACE_MB_SYNCRONIZE then
accessstr=accessstr+"SYNC;"
leftoveram=leftoveram-ACE_MB_SYNCRONIZE
end if
acetypestr=""
acetype=ace.AceType
select case acetype
case ADS_ACETYPE_ACCESS_ALLOWED:
acetypestr="GRANT"
case ADS_ACETYPE_ACCESS_DENIED:
acetypestr="DENY"
end selectaceflagstr="EXPLICIT"
aceflags=ace.AceFlags
if (aceflags AND ADS_ACEFLAG_INHERIT_ACE)=ADS_ACEFLAG_INHERIT_ACE then aceflagstr="INHERITED"if leftoveram>0 then wscript.echo "----------WARNING----------- All ACE's not decoded on next line"
' Display all the properties of the ACEs by using the IADsAccessControlEntry interface.
wscript.echo ace.Trustee & ", " & accessmask & "/" & leftoveram & ", " & accessstr & ","& acetype &" ("&acetypestr & "), " & aceflags & "(" & aceflagstr & "), " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
Next-------------http://www.joeware.net (download joeware)http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Tuesday, March 16, 2004 8:59 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Changing ACLs via VBscriptI need to change both file ACLs and Exchange permissions within vbscript (for Windows 2000 and 2003, and Exchange 2000 and 2003).I know how to do everything I want manually, but the GUI is too slow and error prone for the volume I've got going on...I've been unable to find a website that discusses doing this, or any online resources to really help.Does anyone have any suggestions, either online or books?Thanks.
