Modify Active Directory ACL for a Group

Forums

My Profile

Inbox

Address Book

My Subscription

My Forums

Modify Active Directory ACL for a Group

Logged in as: Guest

arrSession:exec spGetSession 2,2,2138

	Active Users: There are 0 members and 0 guests.
	Users viewing this topic: none

Printable Version

All Forums >> [Scripting] >> WSH & Client Side VBScript >> Modify Active Directory ACL for a Group
Do you like VisualBasicScript.com? Link to us and help spread the word about our forum. Thanks!

Page: [1] 2 3 next > >>

Message

<< Older Topic Newer Topic >>

Modify Active Directory ACL for a Group - 2/22/2005 1:40:16 PM

byarnell

Posts: 7
Score: 0
Joined: 2/22/2005
From:
Status: offline

Hi All,

I am in need of a script and I have not seen the syntax posted elsewhere. We have ~ 80 domains in our enterprise and all of these are childs of the parent domain. In each domain, we have the same AD layout with regard to OUs and common groups. I need to modify the ACL for a global group in a different domain than our HQ. More specifically, I need to add a group in x.domain.com to the ACL of a group in y.domain.com with FULL CONTROL access rights.

Does anyone have any code that they could share to do this? I know about DSACLS, but I would prefer to use VBScript if at all possible. Thanks!

Post #: 1

Re: Modify Active Directory ACL for a Group - 2/22/2005 1:43:52 PM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

I don't understand what you are saying, groups don't have ACLs; resources DO. Could you give us some examples with meaningful names ?

(in reply to byarnell)

Post #: 2

Re: Modify Active Directory ACL for a Group - 2/23/2005 4:06:25 AM

esnmb

Posts: 441
Score: 0
Joined: 1/11/2005
From: USA
Status: offline

Check out the Res Kit Tool SubInACL.exe.

(in reply to byarnell)

Post #: 3

Re: Modify Active Directory ACL for a Group - 2/25/2005 1:42:22 PM

byarnell

Posts: 7
Score: 0
Joined: 2/22/2005
From:
Status: offline

Sorry that was unclear, I should have said "modify the ACL to add a group from a different domain..."

I need to have the script run from domain x.domain.com to other domains (yy.domain.com) where we have a standard OU containing standard groups, ie. "Applications" OU containing a "Software Deployment" group. In this example, I need to add a security group from x.domain.com to the ACL of the "Software Deployment" group in the other domains. The permission also needs to be Full Control over the "Software Deployment" group.

esnmb...thanks for the tip, but that doesn't look like it will do the job. Either that, or I didn't see how it could help.

Anyone else have any ideas?

(in reply to byarnell)

Post #: 4

Re: Modify Active Directory ACL for a Group - 2/25/2005 2:39:56 PM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

I still don't quite get what you saying. Here is my understanding so far. You want to add a security group from one of the 80 domains to a security group of all other 79 domains ? I assuming you are running AD in native mode ? If so, what are the scopes of these groups, the of the group to be added to others, and the scope of groups that they will have this specific group as a member ?

When a security group (Group A) from one domain added to the security group (Group1, Group2,..Group79) of other domains, what do you mean by F/C of those groups (Group1...79) ? Like I said before, you need a RESOURCE for the permission to be applied. Where are the resources ?

I got a feeling that either you didn't explain what you want clearly, or you have no idea what you are talking about.

(in reply to byarnell)

Post #: 5

Re: Modify Active Directory ACL for a Group - 2/27/2005 6:36:08 AM

byarnell

Posts: 7
Score: 0
Joined: 2/22/2005
From:
Status: offline

You are not getting what I am asking. So, one more shot at it:

Yes, we are in native mode. I need to modify the membership of a domain local Group A in domain A to include a universal Group B from domain B. Group B also has to have full control of Group A. Check the security tab of any group in AD and I think this should be clear.

(in reply to byarnell)

Post #: 6

Re: Modify Active Directory ACL for a Group - 2/27/2005 6:44:24 PM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

The following script will add a universal group into a domain local group from the same domain (you can easily modify it to reflect the actual group, OU, or domain). It will also grant universal group F/C permission to the domain local group object in AD.
================================================================================
Option Explicit
Dim DLPath, UPath, DL, member, found, sd, dacl, ace
DLPath = "LDAP://cn=domain local,ou=level 2,ou=level 1,dc=mydomain,dc=com"
UPath = "LDAP://cn=universal,ou=level 2,ou=level 1,dc=mydomain,dc=com"
Set DL = GetObject(DLPath)
Set sd = DL.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
found = False

For Each member In DL.members
If UCase(member.adspath) = UCase(UPath) Then
WScript.Echo """" & member.cn & """ already exists In """ & DL.cn & """"
found = True
Exit For
End If
Next
If found = False Then
dl.Add(UPath)
dl.setinfo
ace.accessmask = -1
ace.acetype = 0
ace.aceflags = &H2
ace.trustee = GetObject(UPath).cn
dacl.addace ace
sd.discretionaryacl = dacl
DL.put "ntSecurityDescriptor", sd
DL.setinfo
WScript.Echo """" & GetObject(UPath).cn & """ successfully added To """ & DL.cn & """"
End If

(in reply to byarnell)

Post #: 7

Re: Modify Active Directory ACL for a Group - 3/1/2005 11:54:40 AM

byarnell

Posts: 7
Score: 0
Joined: 2/22/2005
From:
Status: offline

Thanks Token, I'll check this out and let you know if I run into any problems.

(in reply to byarnell)

Post #: 8

Re: Modify Active Directory ACL for a Group - 3/1/2005 11:56:32 AM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

Sure, no problem :)

(in reply to byarnell)

Post #: 9

Re: Modify Active Directory ACL for a Group - 3/17/2005 8:12:20 PM

chan_fookmun

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline

Hi i have a question regarding ACL. If i create a new group and i want to assign some rights to the group(not using DSACL.exe) using vbscript, how do i tackle the problem?(assuming the new group has no rights at all by default)

Thanks a lot

(in reply to byarnell)

Post #: 10

Re: Modify Active Directory ACL for a Group - 3/18/2005 2:04:13 AM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

By "rights", you mean NTFS permissions ? You said the new group has absolutely no rights at all by default, does that mean the permission inheritance is disalbed at the parent ?

What exactly do you intend to do ? You might want to give some examples since different resources might require differnet approaches.

(in reply to byarnell)

Post #: 11

Re: Modify Active Directory ACL for a Group - 3/20/2005 11:41:01 AM

chan_fookmun

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline

Ya assume from the fact that the group is isolated from other groups and i want to assign some permissions to the group such as read access....After that i will add users to the group who will inherit the read access from the group

(in reply to byarnell)

Post #: 12

Re: Modify Active Directory ACL for a Group - 3/20/2005 12:26:47 PM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

If you could give us some examples as to what type of resources you want to add the group to, maybe I could help.

(in reply to byarnell)

Post #: 13

Re: Modify Active Directory ACL for a Group - 3/20/2005 1:27:13 PM

chan_fookmun

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline

Err how do you define the term "resources"? Pardon me as i have not been exposed to this keyword....

Hope you can help me clear my doubts and understand more on the problem better?

Thank you.

(in reply to byarnell)

Post #: 14

Re: Modify Active Directory ACL for a Group - 3/20/2005 1:58:09 PM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

You said you want to assign some permission to the group such as read access. Could you give us some examples on the resources that you want to allow the group read access for.

eg: a shared folder, a local directory, a registry, or perhaps another group

(in reply to byarnell)

Post #: 15

Re: Modify Active Directory ACL for a Group - 3/20/2005 2:16:15 PM

chan_fookmun

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline

ok so if i the resources i am refering to are the users particulars for example users' telephone number,names then how do i go about tackling the problem?

Thanks a lot

(in reply to byarnell)

Post #: 16

Re: Modify Active Directory ACL for a Group - 3/20/2005 2:51:36 PM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

hmm... I'm still not sure exactly what you want to do. Do you want to give this group the ability to modify AD user accounts properties ?

If not, you will have to give us some examples.

(in reply to byarnell)

Post #: 17

Re: Modify Active Directory ACL for a Group - 3/21/2005 4:11:17 PM

chan_fookmun

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline

Actually i am doing the application mode of AD(ADAM). I need to set specific roghts to the group so that when i add users to become members of the group, the members will inherit the rights as well.....

The rights may be generic read access to an OU.....

(in reply to byarnell)

Post #: 18

Re: Modify Active Directory ACL for a Group - 3/21/2005 5:13:09 PM

token

Posts: 1917
Score: 0
Joined: 1/14/2005
From:
Status: offline

Could you give *specific* examples ?

eg: "GroupA" has READ access permission to a resource of a type of shared folder named "\\server\share". The resource type is important because different resource types has different security requirements.

I have been asking for *specific* examples since the beginning and I still haven't got any REAL answers yet. Based on what you gave me, this is what I can offer.

To grant a group (called GroupA) the Generic Read access to a OU called TestOU, you can do the following.

Option Explicit
Dim ou, sd, dacl, ace
Set ou = GetObject("LDAP://OU=TestOU,DC=mydomain,DC=com")
Set sd = ou.Get("ntSecurityDescriptor")
set dacl = sd.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")

ace.trustee = "mydomain\GroupA"
ace.accessmask = &h80000000
ace.aceflags = &H3
ace.acetype = 0
dacl.addace ace
sd.DiscretionaryAcl = dacl
ou.Put "ntSecurityDescriptor", sd
ou.SetInfo

(in reply to byarnell)

Post #: 19

Re: Modify Active Directory ACL for a Group - 3/22/2005 11:36:02 AM

chan_fookmun

Posts: 22
Score: 0
Joined: 3/17/2005
From:
Status: offline

Hello token,
the code which you have given me does not seem to work on my instance of ADAM.I have a OU(OU=student,O=KKK,C=SG) and i want to grant generic read access of this OU to a group(CN=grouptest,CN=Roles,O=KKK,C=SG).
The error which i receive is "The security ID structure is invalid" at (14,1)
Here is my code:

Option Explicit
Dim ou, sd, dacl, ace
Set ou = GetObject("LDAP://capia1.capd.com:389/OU=student,O=KKK,C=SG")
Set sd = ou.Get("ntSecurityDescriptor")
set dacl = sd.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")

ace.trustee = "CN=grouptest,CN=Roles,O=KKK,C=SG"
ace.accessmask = &h80000000
ace.aceflags = &H3
ace.acetype = 0
dacl.addace ace
sd.DiscretionaryAcl = dacl
ou.Put "ntSecurityDescriptor", sd
ou.SetInfo

Thanks for your help.....

(in reply to byarnell)