Nice tool Sakari. Jorge, I will tackle the one point
"* For inherited permissions... "inherited from" is missing" Inherited from isn't a field in the DACL. If someone puts that in a report, it is because they specifically looked at the entire hierarchy and worked out where the specific inherited ACE came from. It requires additional logic of the script and disallows it from being written in a simple object by object, sd by sd, DACL by DACL, ACE by ACE flow down and forget method. You have to add lookup tables structures or set up some sort of tree structure that you can back peddle up. Keeping in mind that a specific ACE could be on level 1 and level 6 but inheritance blocked at level 3 and on level 9 you find the inherited ACE you need to know to go to level 6 to get the inherited from versus level 1. It isn't bad with the proper data structure, you just have to set it up and maintain it. It is sort of like you can't look at (and just at) the lockoutTime attribute of a user and positively determine the user is locked, you have to add in additional lookups and logic to chase it down. So I would classify that one in the category of DCR versus issue. Not really minor either in my opinion, definitely valueable though. :o) Oh I will tackle another because that was quick... "* The permissions of the domain object itself are not listed" Look at the filter, it has several possible combinations. The default is to show OrgUnits. If you make the following quick changes Const SCOPE_OUS_ONLY = False 'True 'Whether to scan only OUs or also other object classes Const SCOPE_NON_ADVANCED_VIEW = False 'True 'Whether to scan only normal-view objects or also advanced-view objects It will do all objects (objectclass=*). I think the DCR I would submit there is to allow the person to specify the filter as well as the base, possibly the scope too. And finally "run the script from the command-line like CSCRIPT <scriptname> otherwise you need to click away popup boxes" Didn't happen to me... But then one of the first things I do is set CSCRIPT as default. :o) Ok, time to two fist some mountain dew and work on the last couple of chapters of AD 3E... I expect everyone on the list to buy at least 10 copies to give out to all of their friends. It is shaping up to be a book worth reading. As one of the tech reviewers said in a note to me today... "...... It's one you wrote from scratch, right? (I don't see any comments or edits from you that would indicate it's an older, reworked chapter.) Love. Love. Love love love. " The book is supposed to target the lesser experienced folks and I fully admit that, but for those that are experienced and buy it anyway I am adding nice gems that you won't find documented anywhere else. Unfortunately I don't get to use phrases like "set my hair on fire" or "its like a junebug on a hot tin roof" or anything like that, but it is still good. Next book will be more fun. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Thursday, September 08, 2005 8:07 PM To: [email protected]; [email protected] Subject: RE: [ActiveDir] Active Directory Permissions Hi Sakari, Just tested the script on my home DC. Works great. Minor Minor Minor issues.. ;-)) * Last line states "This table was generated at 09-Sep-2005 01:47:40 by ACLsToExcel.vbs" the last should be ACLReport.vbs Instead of hardcoding the name of the file add WScript.ScriptName * The permissions of the domain object itself are not listed * white space is explicit allow permission (not mentioned) * For inherited permissions... "inherited from" is missing Cheers Jorge ________________________________ From: [EMAIL PROTECTED] on behalf of Sakari Kouti Sent: Fri 9/9/2005 12:21 AM To: [email protected] Subject: RE: [ActiveDir] Active Directory Permissions Hi All, All software projects take twice the estimated schedule, so not on Tuesday, but now on Thursday there is finally the script to dump all AD ACEs at the end of the page http://www.kouti.com/scripts.htm A few comments: - As always, you would get most of the results using just end-user permissions - The script works fastest, when run on a DC. They don't often have Excel installed, so I modified the script to create an HTML file instead of direct Excel dumping. You can copy this HTML file to a workstation, right-click the table in IE and select Export to Microsoft Excel. - You can specify the root of dumping in an inputbox. - By modifying three lines in the beginning of the script, you can specify: - Whether to scan only OUs or also other object classes - Whether to scan only normal-view objects or also advanced-view objects - Whether to display all ACEs or only non-inherited Please let me know if you find bugs or have minor :-) feature suggestions. Note that the script is not bullet proof. For example, it breaks, if you try to run it as a standalone user, with no access to AD (no graceful exit, that is). Yours, Sakari PS. Thanks for the congrats on my third child. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
