RE: [ActiveDir] Distribute a "template delegation".

[Dan Holme]

I’m attaching a script I used for a scripted delegation demonstration.  There is a lot of code (applying a lot of ‘templates’) but the guts can be seen in one “section” and the RunDSACLS routine at the end.  I’m sorry I don’t have time to document this fully for you, but I’m heading out of town.  Hopefully you can make heads and tails out of it.   set objShell=WScript.CreateObject("WScript.Shell")   ' ===EUROPE HELP DESK===   strGroup="WINDOMAIN\ZEUR_HelpDesk" strOU="OU=Users,OU=EUR,DC=windomain,DC=local" Level1UserTasks(strGroup,strOU)   strOU="OU=Groups,OU=EUR,DC=windomain,DC=local" Level1GroupTasks(strGroup,strOU)   ' ===EUROPE ENGINEERS===   strGroup="WINDOMAIN\ZEUR_Engineers" strOU="OU=Users,OU=EUR,DC=windomain,DC=local" Level2UserTasks(strGroup,strOU)   strOU="OU=Groups,OU=EUR,DC=windomain,DC=local" Level2GroupTasks(strGroup,strOU)   strOU="OU=Clients,OU=EUR,DC=windomain,DC=local" Level2ComputerTasks(strGroup,strOU)   strOU="OU=Servers,OU=EUR,DC=windomain,DC=local" Level2ComputerTasks(strGroup,strOU)   strOU="OU=Admins,OU=EUR,DC=windomain,DC=local" Level1UserTasks(strGroup,strOU)   ' ===USA HELP DESK===   strGroup="WINDOMAIN\ZUSA_HelpDesk1" strOU="OU=Users,OU=USA,DC=windomain,DC=local" Level1UserTasks(strGroup,strOU)   strOU="OU=Travelers,OU=Users,OU=EUR,DC=windomain,DC=local" Level1UserTasks(strGroup,strOU)   ' ===USA LEVEL 2===   strGroup="WINDOMAIN\ZUSA_HelpDesk2" strOU="OU=Users,OU=USA,DC=windomain,DC=local" Level2UserTasks(strGroup,strOU)   strOU="OU=Groups,OU=USA,DC=windomain,DC=local" Level2GroupTasks(strGroup,strOU)   strOU="OU=Clients,OU=USA,DC=windomain,DC=local" Level2ComputerTasks(strGroup,strOU)   ' ===USA ENGINEERS===   strGroup="WINDOMAIN\ZUSA_Engineers" strOU="OU=Servers,OU=USA,DC=windomain,DC=local" Level2ComputerTasks(strGroup,strOU)   strOU="OU=Admins,OU=USA,DC=windomain,DC=local" Level1UserTasks(strGroup,strOU)   ' ===USA CORE AD TEAM===   strGroup="WINDOMAIN\ZUSA_CoreADTeam" strOU="OU=Admins,OU=USA,DC=windomain,DC=local" Level2UserTasks(strGroup,strOU)   strOU="OU=Groups,OU=USA,DC=windomain,DC=local" Level2UserTasks(strGroup,strOU)     Sub Level1UserTasks(strGroup,strOU)     strPerms="CA;" & Quote("Reset Password") & ";user"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms)       strPerms="rpwp;" & Quote("pwdLastSet") & ";user"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms)       strPerms="rpwp;" & Quote("lockoutTime") & ";user"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub   Sub Level1GroupTasks(strGroup,strOU)     strPerms="rpwp;" & Quote("member") & ";group"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub   Sub Level2UserTasks(strGroup,strOU)     strPerms="CC;user"     strInher="/I:T"     RunDSACLS(strGroup,strOU,strInher,strPerms)       strPerms="GA;;user"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub   Sub Level2GroupTasks(strGroup,strOU)     strPerms="CCDC;group"     strInher="/I:T"     RunDSACLS(strGroup,strOU,strInher,strPerms)       strPerms="GA;;group"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub   Sub Level2ComputerTasks(strGroup,strOU)     strPerms="CCDC;computer"     strInher="/I:T"     RunDSACLS(strGroup,strOU,strInher,strPerms)       strPerms="GA;;computer"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub     Sub GPOLinkTasks(strGroup,strOU)     strPerms="rpwp;" & Quote("gPLink")     strInher=""     RunDSACLS(strGroup,strOU,strInher,strPerms)       strPerms="rpwp;" & Quote("gPOptions")     strInher=""     RunDSACLS(strGroup,strOU,strInher,strPerms)   Sub DeleteUserTask(strGroup,strOU)     strPerms="DC;user"     strInher="/I:S"     RunDSACLS(strGroup,strOU,strInher,strPerms) End Sub   Sub RunDSACLS(strGroup,strOU,strInher,strPerms)     strCommand="DSACLS " & strOU & " " & strInher & " /G " & strGroup & ":" & strPerms     strMsg = strCommand & vbCRLF     'ObjShell.Run "%comspec% /c " & strCommand,1,true     set objExec=objShell.Exec(strCommand)     set objOut=objExec.StdOut     While not objOut.AtEndOfStream         strLastLine=objOut.ReadLine     Wend     strMsg = strMsg & strLastLine End Sub   Function Quote(strText)     Quote=chr(34) & strText & str(34) End Function   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 03, 2005 5:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Distribute a "template delegation".   Yep best to script this.   Last place I was an ops guy for, we wrote an entire create ou script. You told it what domain and the building number and it did the rest, built all of the OUs structures needed, created all of the groups, put into place all of the delegations, linked the proper group policy objects, etc. We then wrapped that script in another script and when a batch request came in for say 20 new buildings being added to AD we fired off one command (something like buildous domain filename) and off it would run building them all. A little while later it would be finished and the admin doing the work was off working on and closing 5, 10,15 other request tickets. Best part was that it had error checking and made sure everything was done correctly so you KNEW for absolute certain that it was configured properly. Another great part was that if we made a change to the structure or delegation we could rerun the script across all of the existing building numbers and it would make all of the necessary adjustments.   Of course if you have a completely ad hoc AD design it is hard to do something like that, but that is a good argument to not have an ad hoc design, right after the confusion doing things ad hoc causes.      joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Wednesday, August 03, 2005 6:48 AM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Distribute a "template delegation". Hi Jorge and Brian :)   Thanks for answer.   I thought indeed at dsacls, but i was hoping there was a way natively or an add-on  to AD to do this task....  :(  Thinking of a file such as delegwiz.inf that could be modified with my own settings and then be applied in one time to my OUs.   Never mind, thanks for suggestions and have a nice day :)   Regards,   Yann   De: [EMAIL PROTECTED] de la part de Almeida Pinto, Jorge de Date: mer. 03/08/2005 12:18 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Distribute a "template delegation". Yep, the tool you mention can do that because natively through AD it is not possible.   However you could do with scripting and some of the free tools around   Use could use a _vbscript_ (see script repository from MS) to create all groups and with DSACLS you can assign permissions to the group on a certain OU   Cheers, #JORGE#   From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Wed 8/3/2005 11:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Distribute a "template delegation". Hello all :)   I have more than 70 OUs. In each of them, I create a group, say AdminGroup with one or more users into it. In OU1, i've then delegated to AdminGroup1 the rights to only view certains attributes, and write others, create certains types of objects such as groups, computers.   I would not like to the same procedure for each of my 69 OUs... :(   So is there a way to create a "delegation template" and apply it to my whole OUs such as Active Roles from Quest do it with its "Business Roles" ?   Thanks for your input,   Yann