|
Thanks! I’ll definitely look at your tools &
book, Alain!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alain Lissoir Deleting an ACE is obviously supported. Supporting removal of ACE is a granular way requires an
extensive regression testing, which way more complex than removing all ACE
using the same trustee. Therefore, it is more than just implementing the
feature in the tool. That's why it is not supported even though if technically
this should work fine. I've been doing some testing with the script below and
it works great so far. HTH /Alain From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe > Microsoft doesn't support this and this is why no tool doing this
exists. I am confused, what specifically isn't supported? Deleting a single ACE is obviously supported, the reason
DSACLS doesn't do it I would bet is programmer laziness versus anything being
unsupported. You would have to add additional switches to specify the specific
ACL to remove versus simply yanking all of the ACEs with a specific secprin.
The latter is much much easier to implement. DSACLS has lots of shortcuts like
that, look at the case sensitivity for more examples there. joe
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Check
out the script at http://users.skynet.be/alain.lissoir/conferences/WMIManageSD.zip I
wrote for my books. This
script is fully documented in my WMI books at http://www.lissware.net
(Vol 2). It
supports the management of security descriptors for files, folders, file
shares, registry, WMI namespaces, AD, Exchange 2000/2003 mailboxes. It
requires the registration of some resource DLLs where it is started in order to
work. For
instance, if you want to delegate "Modify the membership of a group"
(as the delegation wizard displays). The
command line to for WMIManageSD.Wsf is: Set OU="OU=Department,DC= Set TRUSTEE="VMLissWareNET\Alain.Lissoir" Cscript.Exe //Nologo WMIManageSD.Wsf
/ADObject:"%OU%" ^ Then
to undelegate one ACE, you specify the exact same command line, but you use the
/DelAce and /Granular+ switches instead. If
you dont't specify the /Granular+ switch, then it removes all ACEs for the
trustee. If
you do, it removes the ACE specified for the trustee. Set OU="OU=Department,DC= Set TRUSTEE="VMLissWareNET\Alain.Lissoir" Cscript.Exe //Nologo WMIManageSD.Wsf
/ADObject:"%OU%" ^ Note
that even though this may work in most cases, Microsoft doesn't support this
and this is why no tool doing this exists. HTH /Alain From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme I am
at the latter stages of a script to ‘pump out’ delegation from a
business administrative model description. I’ve had great luck automating
DSACLS to drive delegation. Now I’ve hit a wall though and maybe
someone can help. DSACLS
won’t let you remove a
single permission. It will let you remove all permissions for a security principal; it will let you deny; but it won’t remove an allowed permission. My
goal is to be able to drive a delegation of “almost full control”
of users & groups, whereby an admin group can do everything except delete, because we want to
provision the deletion process to avoid accidental deletions. I’d
like to delegate this as I would in the UI: click “Full Control”
then UNCHECK “Delete” and “Delete Subtree”. Does
anyone have any ideas how to script this? I’d prefer not to have to
dive into the security descriptor using _vbscript_, but if that’s what it
takes I’ll do that, if someone has a sample. THANKS! Dan (BTW:
Yes, I’ll be posting this tool for everyone once it’s finished) |
- RE: [ActiveDir] Scripting Delegation Question Dan Holme
