+ Post New Thread
Results 1 to 5 of 5
Windows Thread, Script to set active directory object security in Technical; Hi, With reference to this post , I need some script to revoke the ACE for Everyone on a contact ...
  1. #1
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Script to set active directory object security

    Hi,

    With reference to this post, I need some script to revoke the ACE for Everyone on a contact object, preferably recursively for all objects in an OU/child OUs.

    I've tried searching for something similar, but no luck so far. Can anyone help?

    cheers

  2. #2

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Script to set active directory object security

    I threw this together mostly via cut-paste from a couple of my ADSI scripts. It's JScript, definitely not production-quality but should work. Change the ADPath to point to your parent OU and run as Admin.

    Code:
    var cTarget = "Everyone";
    var cADPath = "LDAP://OU=someou,DC=school,DC=internal";
    
    ScanOU(GetObject(cADPath));
    
    function ScanOU(oOU)
    {
    	var e = new Enumerator(oOU);
    	while(!e.atEnd())	
    	{
    		if ( e.item().Class == "contact") RemoveACE(e.item());
    		if ( e.item().Class == "organizationalUnit") ScanOU(e.item());	
    		e.moveNext();
    	}
    }
    
    function RemoveACE(oC)
    {
    	var sd = oC.Get("ntSecurityDescriptor");
    	var dacl = sd.DiscretionaryAcl;
    	var e	= new Enumerator(dacl);	
    	while(!e.atEnd())
    	{
    		if (e.item().Trustee == cTarget) dacl.RemoveAce(e.item());
    		e.moveNext();
    	}	
    	sd.DiscretionaryAcl = dacl;
    	oC.Put("ntSecurityDescriptor",sd);
    	oC.SetInfo();	
    }
    There's enough there for any competent VBSer to translate, make more efficient, informative, bombproof etc.

  3. #3
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Re: Script to set active directory object security

    Thank you, I'll give it a go.

  4. #4

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115

    Re: Script to set active directory object security

    A slight modification just in case what you really wanted was existing Authenticated User ACEs on contact objects changed into ACEs for "my group" ;b

    Code:
    var cOldTrustee = "nt authority\\authenticated users";	//must be lower case
    var cNewTrustee = "DOMAIN\\My Group";                    //change this to your domain & group
    var cADPath = "LDAP://OU=someou,DC=school,DC=internal";  //change this for your AD path
    
    ScanOU(GetObject(cADPath));
    
    function ScanOU(oOU)
    {
    	var e = new Enumerator(oOU);
    	while(!e.atEnd())	
    	{
    		if ( e.item().Class == "contact") ReplaceACE(e.item());
    		if ( e.item().Class == "organizationalUnit") ScanOU(e.item());	
    		e.moveNext();
    	}
    }
    
    function ReplaceACE(oC)
    {
    	var sd = oC.Get("ntSecurityDescriptor");
    	var dacl = sd.DiscretionaryAcl;
    	var e	= new Enumerator(dacl);	
    	while(!e.atEnd())
    	{
    		if (e.item().Trustee.toLowerCase() == cOldTrustee) e.item().Trustee = cNewTrustee;
    		e.moveNext();
    	}	
    	sd.DiscretionaryAcl = dacl;
    	oC.Put("ntSecurityDescriptor",sd);
    	oC.SetInfo();	
    }

  5. #5
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Re: Script to set active directory object security

    Fantastic! Thanks very much for your help.

SHARE:
+ Post New Thread

Similar Threads

  1. Active Directory-Script for Creating Bulk Users
    By calapso in forum How do you do....it?
    Replies: 8
    Last Post: 14th January 2009, 06:32 PM
  2. Active Directory Explorer
    By ajbritton in forum Windows
    Replies: 6
    Last Post: 15th November 2007, 10:37 PM
  3. PDA and Active Directory
    By localzuk in forum Windows
    Replies: 4
    Last Post: 10th October 2007, 03:54 PM
  4. script for active directory
    By chalkwellstu in forum Scripts
    Replies: 8
    Last Post: 24th September 2007, 01:53 PM
  5. Active Directory Design
    By tscnmuk in forum Windows
    Replies: 7
    Last Post: 27th February 2007, 03:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •