Photo Gallery Member List Search Calendars FAQ Ticket List Log Out


Re: Modify Active Directory ACL for a Group

  		Logged in as: Guest
arrSession:exec spGetSession 2,2,2138
Active Users: There are 0 members and 0 guests.
Users viewing this topic: none
 

 

  
 
  Printable Version
All Forums >> [Scripting] >> WSH & Client Side VBScript >> Re: Modify Active Directory ACL for a Group
  Do you like VisualBasicScript.com? Link to us and help spread the word about our forum. Thanks! 		Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Re: Modify Active Directory ACL for a Group - 3/22/2005 1:35:58 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		Replace:

ace.trustee = "CN=grouptest,CN=Roles,O=KKK,C=SG"

with:

ace.trustee = "capia1\grouptest"

(in reply to byarnell)
 
 
Post #: 21
 
Re: Modify Active Directory ACL for a Group - 3/22/2005 2:00:54 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hello token,

I tried using the method you suggested but the same error still appears.What can be wrong? I understand that i can install multiple instances of ADAM in a single pc only that their ports are different.
In AD only one set can exist. Will it pose a problem in that the same code cannot be applied to ADAM as in AD?

(in reply to byarnell)
 
 
Post #: 22
 
Re: Modify Active Directory ACL for a Group - 3/22/2005 3:26:04 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		Is capia1 the domain name ?

I'm not familiar with ADAM, but I don't believe it is a problem. If you got the SAME error message, it simply means that the group account to which you want to assign the permission for isn't in the correct format. The only format I've used is in the form of domain\account. Make sure the domain name is correct. You could also try the DNS domain.

(in reply to byarnell)
 
 
Post #: 23
 
Re: Modify Active Directory ACL for a Group - 3/22/2005 5:59:08 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hello token,
my domain is capd.com and capia1.capd.com is the computer name which i have installed ADAM. As far as i know, ADAM does not need any DNS configuration as it is running as a windows service rather than an OS....

(in reply to byarnell)
 
 
Post #: 24
 
Re: Modify Active Directory ACL for a Group - 3/23/2005 2:07:22 AM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		ah, have you tried

ace.trustee = "capd\grouptest" ?

(in reply to byarnell)
 
 
Post #: 25
 
Re: Modify Active Directory ACL for a Group - 3/23/2005 3:58:22 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hi token,
it does not help either....
Do you have any useful urls so that i can read more on the ACL?
Thanks

(in reply to byarnell)
 
 
Post #: 26
 
Re: Modify Active Directory ACL for a Group - 3/23/2005 5:27:51 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		hmm.. What was the exact error message you got ?

If you want more info on ADAM and related topics, check out MSDN at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adam/adam/active_directory_application_mode.asp

(in reply to byarnell)
 
 
Post #: 27
 
Re: Modify Active Directory ACL for a Group - 3/23/2005 5:52:14 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		The error which i receive is "The security ID structure is invalid" at (14,1) based on my previous code....no mattter how i change the value of ace.trustee the error remains there.

Hope there are people who experience similiar error can provide me some guidelines...

Thanks a lot

(in reply to byarnell)
 
 
Post #: 28
 
Re: Modify Active Directory ACL for a Group - 3/23/2005 7:25:31 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		hmm... Unless it is something specific ADAM, I can't think of anything else. Is the group account named grouptest actually exists ? The same script worked on different machines on two different domains that I tested. The only other thing I can think of is captilize the domain name, but I don't see why that would make a difference.

(in reply to byarnell)
 
 
Post #: 29
 
Re: Modify Active Directory ACL for a Group - 3/28/2005 2:57:01 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hi token,
check out the url:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adam/adam/adsi_element_differences.asp

Actually the value of the trustee should be the SID of the object which is being trusted in ADAM.

However when i try to update the ACL into the disk,eg using the SetInfo method, i get an error as
"(15,1) (null):The server is unwilling to process the request"

What can be the problem?
Is it related to the setting of my OS which is Windows XP?

Here is my updated code:
Option Explicit
Dim ou, sd, dacl, ace
Set ou = GetObject("LDAP://capia1.capd.com:389/CN=grouptest,CN=Roles,O=KKK,C=SG")
Set sd = ou.Get("ntSecurityDescriptor")
set dacl = sd.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")

ace.trustee = "S-1-491339992-4003172615-1602629719-1240442435-3838501249-1630502247"
ace.accessmask = &h80000000
ace.aceflags = &H3
ace.acetype = 0
dacl.addace ace
sd.DiscretionaryAcl = dacl
ou.Put "ntSecurityDescriptor", sd
ou.SetInfo 'problem lies here

WScript.Echo "Success"

(in reply to byarnell)
 
 
Post #: 30
 
Re: Modify Active Directory ACL for a Group - 3/29/2005 11:17:01 AM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		Do you have a URL regarding the syntax of the following line ?

Set ou = GetObject("LDAP://capia1.capd.com:389/CN=grouptest,CN=Roles,O=KKK,C=SG")

My guess would be that it is possible that ADAM requires a different syntax for binding to an object and/or different syntax for specifying access mask, acetype etc.

The line above isn't exactly correct for binding to an object for non-ADAM; I don't know if it is correct for binding to ADAM objects. Based on what you specified above, "Roles" is a GROUP, which can NOT contain an ojbect called "Grouptest". Only container object can contain objects. Container objects are OU, domain etc.

(in reply to byarnell)
 
 
Post #: 31
 
Re: Modify Active Directory ACL for a Group - 3/29/2005 12:00:55 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hi token,
actually in my previous example,"Roles" is a container in ADAM and "grouptest" is a group in "Roles".

My concern is the previous example can work on an ADAM instance in windows server 2003 but not on an ADAM instance in windows xp(SP2).

So what i am thinking is that must i explicitly change the settings in windows xp to make it work?

Since the code is able to work in server 2003,that means the algorithm is correct and hence i suppose the OS is the problem.

Hope someone has encountered similiar problem before and would like to share his or her experience...

Thanks

(in reply to byarnell)
 
 
Post #: 32
 
Re: Modify Active Directory ACL for a Group - 3/29/2005 12:12:01 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		Is "Roles" a group or an OU ? If it is an OU, you have to change the CN in front of it to OU (or O in ADAM, I assume)

could you try the following to see if the the variable OU is indeed what you wanted.

wscript.echo typename(OU) & vbtab & isnull(OU) & vbtab & isempty(OU)

(in reply to byarnell)
 
 
Post #: 33
 
Re: Modify Active Directory ACL for a Group - 3/29/2005 12:48:53 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hi token,
"Roles" a really a container object in ADAM. A container is an object in ADAM and so is an organizationalUnit.There is nothing wrong with the LDAP path since it is able to work in windows server 2003.I believe windows xp SP2 has some security settings which forbid the modification of the ACL

(in reply to byarnell)
 
 
Post #: 34
 
Re: Modify Active Directory ACL for a Group - 3/29/2005 4:14:46 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		What did the typename and others say about the variable called OU ?

I don't believe XP, or even SP2 has anything to do with modification of ACL. You are allowed to modify an ACL of an object if you are granted Modify Permission permission for the object that you wish to modify the ACL for.

(in reply to byarnell)
 
 
Post #: 35
 
Re: Modify Active Directory ACL for a Group - 3/29/2005 5:45:03 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		ya its true...The ADSI methods and properties can only work on windows server 2003 or windows 2000 server.

See the "Requirements" section of this url:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/ads_rights_enum.asp

:)

(in reply to byarnell)
 
 
Post #: 36
 
Re: Modify Active Directory ACL for a Group - 3/29/2005 11:17:50 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		Do you not have a Windows 2000 or 2003 Server as DC ? If so, that shouldn't be a problem. On the client side, Windows 2000 and XP are both supported too. Again, could you post the results returned by the wscript.echo typename(OU) & vbtab & isnull(OU) & vbtab & isempty(OU). Also, open Active Directory Users and Computers tool and check the property page of the group "GroupTest". Go into the Object tab and copy/paste the value found in "Canonical name of the object" field.

(in reply to byarnell)
 
 
Post #: 37
 
Re: Modify Active Directory ACL for a Group - 3/30/2005 12:11:52 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hi token,
i think there are some differences between ADAM and AD. ADAM runs as a windows service and not an OS. There is no "Active Directory Users and Computers" tool in ADAM. It only has "ADAM ADSI Edit" tool for use.

What i am doing is i am treating windows xp to be the client as well as the server for testing.

As such the execution of the ADSI methods cannot be fulfilled.

(in reply to byarnell)
 
 
Post #: 38
 
Re: Modify Active Directory ACL for a Group - 3/30/2005 12:25:10 PM   
  token

 

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline 		Are you able to find the precise path for the object named Grouptest from ADSI edit ? If so, could you post the path found.

(in reply to byarnell)
 
 
Post #: 39
 
Re: Modify Active Directory ACL for a Group - 3/30/2005 3:58:08 PM   
  chan_fookmun

 

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline 		Hi token,
if you refer the path of "grouptest" as the distinguished name, then it is CN=grouptest,CN=Roles,O=KKK,C=SG.The "Roles" here is just a container.

(in reply to byarnell)
 
 
Post #: 40
 
 
Page:  <<   < prev  1 [2] 3   next >   >>
 
 

If you found our site useful please link to us <a href="http://www.visualbasicscript.com">VisualBasicScript.com</a>.
All Forums >> [Scripting] >> WSH & Client Side VBScript >> Re: Modify Active Directory ACL for a Group Page: <<   < prev  1 [2] 3   next >   >>
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts




Forum Software © ASPPlayground.NET Advanced Edition 2.5.5 ANSI