RE: [ActiveDir] Scripting GP woes

[Darren Mar-Elia]

Kevin- The issue is that the GPMC scripting interface doesn't support Deny ACEs. It only provides a set of pre-determined Allow permission sets. Somewhat of an oversight, in my view, but nonetheless, you are pretty much stuck with rolling this by hand as far as I know.   Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Sullivan Sent: Friday, August 27, 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Scripting GP woes I am sure I will butcher this explanation but I’ll give it a shot. For a reference, Bill Boswell wrote Chapter 7 (Scripting GPMC operations) of Jeremy Moskowitz’s new Group Policy book.   Bill did an amazing job of drilling into the object model provided with the GPMC and he has a sample of exactly what you are asking.   His sample uses some methods of the gpm object to retrieve the DACL of the GPO. He uses the GetSecurityInfo() method to get the DACL and then uses the CreatePermission()method to create the ACE and the Add() method to plug in the ACE he created.   I just started looking at this script after your post so as you can tell, I am a bit scattered with it all. You can download the sample scripts from http://www.moskowitz-inc.com/grouppolicy/bookextras.html. some of this stuff is great. The script is called, Acc_GPO_Permission.vbs…   I hope it helps…   Kevin   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, August 27, 2004 10:06 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Scripting GP woes   Paul-   I think that you're going to have to get the GUID of the GPO, and then set a Deny Read ACE on the NTFS permissions under Winnt\SYSVOL\sysvol\domain\policies\{GUID}. You could use a script or command line utility like Xcacls to do that.   Hunter   From: PAUL MAYES [mailto:[EMAIL PROTECTED] Sent: Friday, August 27, 2004 4:46 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting GP woes   I am currently in the process of scripting up some GPs to import into an AD. As part of this I need to add a filter to a couple of the policies to deny a group read access. (Putting the reasons for doing this aside for the minute.). I'm trying to find a way to do this, I've tried using the setGPOPermissions script as part of the GPMC which only seems to add apply permissions or remove permissions that already exist. I've also been having a play with trying to use the GPM object directly to script the deny myself but it looks like there aren't any interfaces to do this.   GUI modification is not an option and I want to attempt to do this as out of the box as possible, (ok with GPMC).   Thanks, Paul.