|
I am confused by this statement "Supporting
removal of ACE is a granular way requires an extensive regression testing, which
way more complex than removing all ACE using the same
trustee.".
I agree removing a single ACE versus all ACEs that have a
certain secprin is definitely easier, but not sure where the regression testing
comes in. I think I am missing something. Removal of say a reset password ace
should be pretty straight forward. Of course you can get into the tricky
situation that Brett and I discussed concerning property sets and how you show
permissions and handle permissions if something is in a property set and
delegated through that property set and directly. Again this is an issue that
exists anyway. The expectation, at least to me, is if you ask for Reset Password
to be removed, it would be the explicit delegation of that specific permission,
not a comprehensive search of FC ACEs and Property Set ACEs.
Look at it this way, you can do this easily from the GUI,
but not the CLI without writing your own script or code.
thanks
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Saturday, May 21, 2005 2:41 AM To: [email protected] Subject: RE: [ActiveDir] Scripting Delegation Question Deleting an ACE is obviously supported.
Supporting removal of ACE is a granular way requires an
extensive regression testing, which way more complex than removing all ACE using
the same trustee. Therefore, it is more than just implementing the feature in
the tool. That's why it is not supported even though if technically this should
work fine. I've been doing some testing with the script below and it
works great so far.
HTH
/Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, May 20, 2005 10:07 PM To: [email protected] Subject: RE: [ActiveDir] Scripting Delegation Question > Microsoft doesn't support this
and this is why no tool doing this exists.
I am
confused, what specifically isn't supported?
Deleting a single ACE is obviously supported, the
reason DSACLS doesn't do it I would bet is programmer laziness versus anything
being unsupported. You would have to add additional switches to specify the
specific ACL to remove versus simply yanking all of the ACEs with a specific
secprin. The latter is much much easier to implement. DSACLS has lots of
shortcuts like that, look at the case sensitivity for more examples
there.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, May 20, 2005 7:10 PM To: [email protected] Subject: RE: [ActiveDir] Scripting Delegation Question Check out the script at http://users.skynet.be/alain.lissoir/conferences/WMIManageSD.zip I
wrote for my books.
This script is fully documented in my WMI books at http://www.lissware.net (Vol
2).
It supports the management of security descriptors for files, folders,
file shares, registry, WMI namespaces, AD, Exchange 2000/2003
mailboxes.
It requires the registration of some resource DLLs where it is started in
order to work.
For instance, if you want to delegate "Modify the membership of a group"
(as the delegation wizard displays).
The command line to for WMIManageSD.Wsf is:
Set OU="OU=Department,DC=LissWare,DC=NET"
Set
TRUSTEE="VMLissWareNET\Alain.Lissoir"
Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:"%OU%"
^
/Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /AddAce+ /ADSI+ Then to undelegate one ACE, you
specify the exact same command line, but you use the /DelAce and /Granular+
switches instead.
If you dont't specify the
/Granular+ switch, then it removes all ACEs for the
trustee.
If you do, it removes the ACE
specified for the trustee.
Set OU="OU=Department,DC=LissWare,DC=NET"
Set
TRUSTEE="VMLissWareNET\Alain.Lissoir" Cscript.Exe //Nologo WMIManageSD.Wsf /ADObject:"%OU%"
^
/Trustee:%TRUSTEE% ^ /ACEType:ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ^ /ACEMask:ADS_RIGHT_DS_READ_PROP,ADS_RIGHT_DS_WRITE_PROP ^ /ACEFlags:ADS_ACEFLAG_CONTAINER_INHERIT_ACE,ADS_ACEFLAG_INHERIT_ONLY_ACE ^ /ObjectType:{BF9679C0-0DE6-11D0-A285-00AA003049E2} ^ /InheritedObjectType:{BF967A9C-0DE6-11D0-A285-00AA003049E2} ^ /DelAce+ /ADSI+ /Granular+ Note that even though this may work in most cases, Microsoft doesn't
support this and this is why no tool doing this exists.
HTH
/Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Friday, May 20, 2005 10:20 AM To: [email protected] Subject: [ActiveDir] Scripting Delegation Question I am at
the latter stages of a script to ‘pump out’ delegation from a business
administrative model description. I’ve had great luck automating DSACLS to
drive delegation. Now I’ve hit a wall though and maybe someone can
help. DSACLS
won’t let you remove a single
permission. It will let you remove all permissions for a security principal;
it will let you deny; but it
won’t remove an allowed
permission. My goal
is to be able to drive a delegation of “almost full control” of users &
groups, whereby an admin group can do everything except delete, because we want to
provision the deletion process to avoid accidental deletions. I’d like to
delegate this as I would in the UI: click “Full Control” then UNCHECK
“Delete” and “Delete Subtree”. Does
anyone have any ideas how to script this? I’d prefer not to have to dive
into the security descriptor using _vbscript_, but if that’s what it takes I’ll do
that, if someone has a sample. THANKS! Dan (BTW:
Yes, I’ll be posting this tool for everyone once it’s
finished) |
