Script to set active directory object security

**meastaugh1** · 29th December 2006, 11:48 AM

Hi,

With reference to this post, I need some script to revoke the ACE for Everyone on a contact object, preferably recursively for all objects in an OU/child OUs.

I've tried searching for something similar, but no luck so far. Can anyone help?

cheers

**PiqueABoo** · 30th December 2006, 01:12 PM

I threw this together mostly via cut-paste from a couple of my ADSI scripts. It's JScript, definitely not production-quality but should work. Change the ADPath to point to your parent OU and run as Admin.

Code:

var cTarget = "Everyone";
var cADPath = "LDAP://OU=someou,DC=school,DC=internal";

ScanOU(GetObject(cADPath));

function ScanOU(oOU)
{
	var e = new Enumerator(oOU);
	while(!e.atEnd())	
	{
		if ( e.item().Class == "contact") RemoveACE(e.item());
		if ( e.item().Class == "organizationalUnit") ScanOU(e.item());	
		e.moveNext();
	}
}

function RemoveACE(oC)
{
	var sd = oC.Get("ntSecurityDescriptor");
	var dacl = sd.DiscretionaryAcl;
	var e	= new Enumerator(dacl);	
	while(!e.atEnd())
	{
		if (e.item().Trustee == cTarget) dacl.RemoveAce(e.item());
		e.moveNext();
	}	
	sd.DiscretionaryAcl = dacl;
	oC.Put("ntSecurityDescriptor",sd);
	oC.SetInfo();	
}

There's enough there for any competent VBSer to translate, make more efficient, informative, bombproof etc.

**meastaugh1** · 30th December 2006, 01:40 PM

Thank you, I'll give it a go.

**PiqueABoo** · 4th January 2007, 10:05 PM

A slight modification just in case what you really wanted was existing Authenticated User ACEs on contact objects changed into ACEs for "my group" ;b

Code:

var cOldTrustee = "nt authority\\authenticated users";	//must be lower case
var cNewTrustee = "DOMAIN\\My Group";                    //change this to your domain & group
var cADPath = "LDAP://OU=someou,DC=school,DC=internal";  //change this for your AD path

ScanOU(GetObject(cADPath));

function ScanOU(oOU)
{
	var e = new Enumerator(oOU);
	while(!e.atEnd())	
	{
		if ( e.item().Class == "contact") ReplaceACE(e.item());
		if ( e.item().Class == "organizationalUnit") ScanOU(e.item());	
		e.moveNext();
	}
}

function ReplaceACE(oC)
{
	var sd = oC.Get("ntSecurityDescriptor");
	var dacl = sd.DiscretionaryAcl;
	var e	= new Enumerator(dacl);	
	while(!e.atEnd())
	{
		if (e.item().Trustee.toLowerCase() == cOldTrustee) e.item().Trustee = cNewTrustee;
		e.moveNext();
	}	
	sd.DiscretionaryAcl = dacl;
	oC.Put("ntSecurityDescriptor",sd);
	oC.SetInfo();	
}

**meastaugh1** · 5th January 2007, 05:28 AM

Fantastic! Thanks very much for your help.

LinkBack

Thread Tools

Search Thread

Script to set active directory object security

Re: Script to set active directory object security

Re: Script to set active directory object security

Re: Script to set active directory object security

Re: Script to set active directory object security

Similar Threads

Active Directory-Script for Creating Bulk Users

Active Directory Explorer

PDA and Active Directory

script for active directory

Active Directory Design

Thread Information

Users Browsing this Thread

Posting Permissions