Re: Setting inheritance on user object in AD
From: drudolph (drudolph.1e1qbp_at_news.webfrustration.com)
Date: 10/12/04
- Next message: tlviewer: "Re: Verify File System"
- Previous message: tlviewer: "Re: Verify File System"
- Next in thread: Al Dunbar [MS-MVP]: "Re: Setting inheritance on user object in AD"
- Reply: Al Dunbar [MS-MVP]: "Re: Setting inheritance on user object in AD"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 12 Oct 2004 20:28:35 +0100
I'm attempting to run the previously posted script (below) against a
folder on an NTFS system rather than a user in Active Directory. The
script toggles "allow inheritable permissions."
Can anyone point me in the right direction? I've tried replacing the
"LDAP://" with "file://" but to no avail.
Thanks.
Dave
Delmonik Contee Wrote:
> I'm posting the answer to my question for anyone that may have this
> question and happen to stumble on my posting. I actually sent an
> e-mail to a strong Engineer named Richard and he helped me out BIG
> time. Below is the pasted response that he sent directly to me.
> ---------------
> Hi,
>
> I've seen this question asked several times in the newsgroups, but I
> don't recall ever seeing an answer. The only VBScript code I found
> demonstrates how to read the security descriptor for a user object to
> determine whether "allow inheritable permissions from parent to
> propagate to this object" is enabled or disabled. The code is in the
> Technet Script Center at this link:
>
> http://tinyurl.com/4r98z
>
> Using this example, and other code I have for modifying the security
> descriptor for an object, I found that the VBScript program below will
> toggle this setting. That is, if "allow inheritable permissions" is
> enabled (as it is by default), this program will disable it. If it is
> disabled, the program will enable it. I have hard coded the
> Distinguished Name of the user object in the program. It should work
> for any object in Active DIrectory. If you need to modify the program,
> remember you would use the "And" operator to test a bit in
> intNtSecurityDescriptorControl, the "Or" operator to set a bit, and
> the "Xor" operator (as below) to toggle the bit. The constant
> SE_DACL_PROTECTED represents just one bit of
> intNtSecurityDescriptorControl.
>
> ========= VBScript program ===========
> ' VBScript program to toggle "allow inheritable permissions from
> ' parent to propagate to this object" on the Security tab of the
> object.
>
> Option Explicit
> Const SE_DACL_PROTECTED = &H1000
> Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl
>
> ' Distinguished Name of user object hard coded.
> Set objUser =
> GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com")
>
> ' Retreive security descriptor object for this object.
> Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
>
> ' Retrieve control settings.
> intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
>
> ' Toggle the bit for "allow inheritable permissions".
> intNtSecurityDescriptorControl = intNtSecurityDescriptorControl _
> Xor SE_DACL_PROTECTED
>
> ' Save control settings in the security descriptor object.
> objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl
>
> ' Save the security descriptor object.
> objUser.Put "ntSecurityDescriptor", objNtSecurityDescriptor
>
> ' Update the user object.
> objUser.SetInfo
>
> Wscript.Echo "Done"
> ==================================
>
> I hope this help.
>
> Richard
-- drudolph
- Next message: tlviewer: "Re: Verify File System"
- Previous message: tlviewer: "Re: Verify File System"
- Next in thread: Al Dunbar [MS-MVP]: "Re: Setting inheritance on user object in AD"
- Reply: Al Dunbar [MS-MVP]: "Re: Setting inheritance on user object in AD"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
