Do you currently have permissions to view the SACL through
LDAP?
Try this
adfind -b object_DN ntSecurityDescriptor
-sddc
If you see a DN but no SDDL representation of the ACL then
you may not have permissions.
Also I believe I caught the case if one of the components
of the ACL doesn't exist or you don't have perm to it specifically where it will
tell you that you don't have permission to see that portion of the
ACL...
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYES
Sent: Thursday, May 05, 2005 5:20 AM
To: [email protected]
Subject: [ActiveDir] scripting sacls
I'm trying to modify the sacls on an object. Every document/book/google
demostrates how to do this by get the ntSecurityDescriptor of an object and then
obtaining a handle to the SACL by referencing .SystemAcl from the descriptor.
Nice except that when you try and get the object you get an error stating
that the object doesn't exist. Now I know I've got the ntSecDesc ok as I can get
the DACL information and all of the other properties spit out quite nicely. It's
just the SACLS which I'm having problems with. Can't get any example code from
anywhere to give me SACLS either. (Mind you how many ways are there to get the
ntSecDesc and then get .SystemACL!!!). Interesting .SACLDefaulted at least gives
me a zero.
It's driving me maaaaad. Anyone managed to get .SystemACL out of ntSecDesc
or is this a fruitless task.
Paul.
