|
Folks, this is a follow-up to my earlier question…I can’t figure this out. I’ve found a few bits and pieces of scripts – I’m trying to return all user objects in a testOU to the Inherit Permissions from Parent state. The below script seems to work, but it toggles the flag – I don’t want it to change anything unless inherit is turned off.
Can someone help me with the change so it only changes those who do not have inherit enabled? I think it involves Xor but I haven’t figured out what it should be. Thanks!
********* Script ********** Const SE_DACL_PROTECTED = &H1000 Dim OU, objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl
set OU = GetObject("LDAP://OU=TestOU,DC=my,DC=domain,DC=com")
For Each ObjUser in OU WScript.Echo "Now checking " & ObjUser.sAMAccountName
If ObjUser.Class = "user" Then ' Retrieve security descriptor object for this object. Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor") ' Retrieve control settings. intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control ' Toggle the bit for "allow inheritable permissions". intNtSecurityDescriptorControl = intNtSecurityDescriptorControl Xor SE_DACL_PROTECTED ' Save control settings in the security descriptor object. objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl ' Save the security descriptor object. objUser.Put "ntSecurityDescriptor", objNtSecurityDescriptor ' Update the user object. objUser.SetInfo End If Set ObjUser = Nothing Next
*********** End Script **************
Mark Creamer |
- RE: [ActiveDir] setting security bit flag Creamer, Mark
- RE: [ActiveDir] setting security bit flag Coleman, Hunter
- RE: [ActiveDir] setting security bit flag Creamer, Mark
