Re: Search for accounts based on advanced security permissions
- From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 1 Aug 2007 10:47:44 -0500
""Ken Zhao [MSFT]"" <v-kzhao@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:WjgZj%23%230HHA.5204@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
Thank you for using newsgroup!
Based on my knowledge, Dsacls.exe is a command-line tool that you can use
to query the security attributes and to change permissions and security
attributes of Active Directory objects. You may refer to:
281146: How to Use Dsacls.exe in Windows Server 2003 and Windows 2000
http://support.microsoft.com/kb/281146/en-us
Thanks & Regards,
Ken Zhao
Microsoft Online Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| Thread-Topic: Search for accounts based on advanced security permissions
| thread-index: AcfTkAwJkaEhWLjDRQG1YAichRsu1w==
| X-WBNR-Posting-Host: 207.46.192.207
| From: =?Utf-8?B?am1lZGQ=?= <jmedd@xxxxxxxxxxxxxxxx>
| Subject: Search for accounts based on advanced security permissions
| Date: Tue, 31 Jul 2007 09:30:03 -0700
| Lines: 15
| Message-ID: <82AA37DE-158A-4401-8840-8E941913BB7B@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.server.active_directory
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.server.active_directory:22228
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.server.active_directory
|
| I have an issue where a number of AD user accounts have lost the tick in
the
| box for:
|
| Inherit from parent the permission entries that apply to child objects.
| Include these with entries explicitly defined here.
|
| on the Advanced Security Settings dialogue box off of the security tab
for
| the user account.
|
| This is affecting my delegated admin rights for the helpdesk which are
set
| at the OU level where the user accounts reside.
|
| Obviously its a quick fix for the affected accounts, but I'm wondering
if
| there's a way to perform a search which would identify any account which
does
| not have that box checked so that I can go fix those affected in one go?
|
Because this flag is a property of the security descriptor of each object, I
don't think there is any easy way to query for all users. The following
VBScript program uses ADO to retrieve the DN of all users in the domain. It
then binds to each user and checks the flag of the security descriptor. You
can redirect the output to a text file:
===================
Option Explicit
Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN
Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl
Const SE_DACL_PROTECTED = &H1000
' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")
' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection
' Search entire domain.
strBase = "<LDAP://"; & strDNSDomain & ">"
' Search for all users.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
' Run the query.
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Escape any forward slash characters.
strDN = Replace(strDN, "/", "\/")
Set objUser = GetObject("LDAP://"; & strDN)
Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
Wscript.Echo objUser.sAMAccountName & ", Allow inheritable
permissions disabled"
Else
Wscript.Echo objUser.sAMAccountName & ", Allow inheritable
permissions enabled"
End If
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
============
You can output objUser.distinguishedName instead of sAMAccountName if that
helps. Run at a command prompt with the cscript host and redirect the output
to a text file.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
.
- Follow-Ups:
- Re: Search for accounts based on advanced security permissions
- From: "Ken Zhao [MSFT]"
- Re: Search for accounts based on advanced security permissions
- References:
- RE: Search for accounts based on advanced security permissions
- From: "Ken Zhao [MSFT]"
- RE: Search for accounts based on advanced security permissions
- Prev by Date: Re: Synchronize only attributes you want ADAMSync
- Next by Date: Re: Synchronize only attributes you want ADAMSync
- Previous by thread: RE: Search for accounts based on advanced security permissions
- Next by thread: Re: Search for accounts based on advanced security permissions
- Index(es):
Relevant Pages
|
Loading
