RE: [ActiveDir] scripting sacls

[Alain Lissoir]

Paul,

 

make sure you include the statement:

 

                objADObject.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER Or _
                                                   ADS_SECURITY_INFO_GROUP Or _
                                                   ADS_SECURITY_INFO_DACL Or _
                                                   ADS_SECURITY_INFO_SACL

 

                Set objSD = objADObject.Get("ntSecurityDescriptor")

 

See for more info http://msdn.microsoft.com/library/default.asp?url="">

 

You can find a full script example managing ACL (DACL and SACL) at http://www.lissware.net, ZIP of volume 2 samples, Sample 4.02 to 4.13 - WMIManageSD.Wsf and beyond.

This script manages files, folders, file shares, registry, WMI Namespaces, AD objects and Exchange 200X mailboxes security descriptors.

For AD, it also supports Extended Rights (provided you know the GUID of the Extended Right, but there you can find the complete list in my WMI books at chapter 4 dedicated to security scripting, including CDO, WMI and ADSI with AD).

 

HTH

/Alain

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 05, 2005 12:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] scripting sacls

Do you currently have permissions to view the SACL through LDAP?

 

Try this

 

adfind -b object_DN ntSecurityDescriptor -sddc

 

If you see a DN but no SDDL representation of the ACL then you may not have permissions.

 

Also I believe I caught the case if one of the components of the ACL doesn't exist or you don't have perm to it specifically where it will tell you that you don't have permission to see that portion of the ACL...

 

   joe

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYES
Sent: Thursday, May 05, 2005 5:20 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] scripting sacls

 

I'm trying to modify the sacls on an object. Every document/book/google demostrates how to do this by get the ntSecurityDescriptor of an object and then obtaining a handle to the SACL by referencing .SystemAcl from the descriptor.

 

Nice except that when you try and get the object you get an error stating that the object doesn't exist. Now I know I've got the ntSecDesc ok as I can get the DACL information and all of the other properties spit out quite nicely. It's just the SACLS which I'm having problems with. Can't get any example code from anywhere to give me SACLS either. (Mind you how many ways are there to get the ntSecDesc and then get .SystemACL!!!). Interesting .SACLDefaulted at least gives me a zero.

 

It's driving me maaaaad. Anyone managed to get .SystemACL out of ntSecDesc or is this a fruitless task.

 

Paul.