Re: VBscript to set the inherit permissions in registry

Joe wrote:

We would like to set the "allow inheritable permissions from parent to
propogate to this object" on a workstation from a script. Is there a
method to do this?

I realize the end user will have to be logged & have the necessary
permission to modify the setting. But I am having a difficult time
finding a way to set this specific setting.

Thank you for your assistance.

~Joe

I have scripts to read and write this setting for Active Directory objects,
but I was not aware of this setting for local machine resources. Where do
you see the setting?

If you mean how to set this for AD objects, here is a sample:
===================
' VBScript program to toggle "allow inheritable permissions from
' parent to propagate to this object" on the Security tab of the object.

Option Explicit

Const SE_DACL_PROTECTED = &H1000
Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl

' Distinguished Name of object hard coded.
Set objUser = GetObject("LDAP://cn=TestUser,ou=Sales,dc=MyDomain,dc=com";)

' Retrieve security descriptor object for this object.
Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")

' Retrieve control settings.
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

' Toggle the bit for "allow inheritable permissions".
intNtSecurityDescriptorControl = intNtSecurityDescriptorControl _
Xor SE_DACL_PROTECTED

' Save control settings in the security descriptor object.
objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl

' Save the security descriptor object.
objUser.Put "ntSecurityDescriptor", objNtSecurityDescriptor

' Update the user object.
objUser.SetInfo

Wscript.Echo "Done"
=================

As with all flag settings, you "And" the property with the appropriate bit
mask (SE_DACL_PROTECTED in this case) to test if it is set - any non-zero
result means the flag is set. You "Or" with the bit mask to set the flag,
you "Xor" with the bit mask to toggle. The above toggles. If you want to set
the flag, you probably should "Or". The procedure to un-set would be to
first test with "And", and if the flag is set, toggle with "Xor".

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


.

Relevant Pages

  • Re: VBscript to set the inherit permissions in registry
    ... Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl ... ' Toggle the bit for "allow inheritable permissions". ... ' Save control settings in the security descriptor object. ... As with all flag settings, you "And" the property with the appropriate bit ...
    (microsoft.public.scripting.vbscript)
  • Re: Setting inheritance on user object in AD
    ... folder on an NTFS system rather than a user in Active Directory. ... script toggles "allow inheritable permissions." ... > intNtSecurityDescriptorControl. ... > ' Save control settings in the security descriptor object. ...
    (microsoft.public.scripting.vbscript)
  • Re: changing existing local user flag "never expires"
    ... set the flag "password never expires". ... A non-zero result means that the flag is ... which means that the script results in the flag not being ... If (lngFlags And ADS_UF_DONT_EXPIRE_PASSWD) = 0 Then ...
    (microsoft.public.scripting.vbscript)
  • Go to related records then find a subset
    ... my deepest condolences for what it is happening today in London. ... Find script step that includes all the desired parameters + the flag ... showing the records, I need to reset the flag field, so that it is ...
    (comp.databases.filemaker)
  • Re: help with scripting AD attribute change
    ... Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl ... Wscript.Echo "Allow inheritable permissions check box disabled" ... ' Save control settings in the security descriptor object. ...
    (microsoft.public.windows.server.scripting)