Re: help with scripting AD attribute change

From: <no@xxxxxxxx>
Date: Mon, 27 Feb 2006 19:24:24 -0500

thank you so much!
fyi (incase you didnt already know) this box will uncheck itself
automatically at set intervals if the account is a domain admin.

"Richard Mueller" <rlmueller-NOSPAM@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:eqgehL%23OGHA.3840@xxxxxxxxxxxxxxxxxxxxxxx

SixHouse wrote:

Hi everyone.
on an AD user object, on the security tab (security > advanced in 2003) i
need to check the "Allow inheritable permissions from parent to propagate
to this object" box on ALL users in my domain... any ideas? i cant even
locate this as an adsi attribute

Hi,

I researched this some time ago and found a flag in the DACL for it. For
example, to read:
===============
Const SE_DACL_PROTECTED = &H1000
Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl

Set objUser = GetObject("LDAP://cn=TestUser,dc=MyDomain,dc=com";)
Wscript.Echo "User: " & objUser.sAMAccountName

Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
Wscript.Echo "Allow inheritable permissions check box disabled"
Else
Wscript.Echo "Allow inheritable permissions check box enabled"
End If
====================

I was also able to toggle the bit:
=====================
Const SE_DACL_PROTECTED = &H1000
Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl

' Distinguished Name of object hard coded.
Set objUser = GetObject("LDAP://cn=TestUser,dc=MyDomain,dc=com";)

' Retrieve security descriptor object for this object.
Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")

' Retrieve control settings.
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

' Toggle the bit for "allow inheritable permissions".
intNtSecurityDescriptorControl = intNtSecurityDescriptorControl _
Xor SE_DACL_PROTECTED

' Save control settings in the security descriptor object.
objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl

' Save the security descriptor object.
objUser.Put "ntSecurityDescriptor", objNtSecurityDescriptor

' Update the user object.
objUser.SetInfo
================

To do this for all users you could use ADO to retrieve the DN of all
users, bind to each, and modify.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

References:
- help with scripting AD attribute change
  - From: SixHouse
- Re: help with scripting AD attribute change
  - From: Richard Mueller

Prev by Date: Re: [FYI] MSH Beta 3.1
Next by Date: Scalability of the add-member cmdlet.
Previous by thread: Re: help with scripting AD attribute change
Next by thread: Re: SNMP Script
Index(es):
- Date
- Thread

Relevant Pages

Re: help with scripting AD attribute change
... Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl ... Wscript.Echo "Allow inheritable permissions check box disabled" ... ' Save control settings in the security descriptor object. ...
(microsoft.public.windows.server.scripting)
Re: VBscript to set the inherit permissions in registry
... Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl ... ' Toggle the bit for "allow inheritable permissions". ... ' Save control settings in the security descriptor object. ... As with all flag settings, you "And" the property with the appropriate bit ...
(microsoft.public.scripting.vbscript)
Re: VBscript to set the inherit permissions in registry
... propogate to this object" on a workstation from a script. ... Dim objUser, objNtSecurityDescriptor, intNtSecurityDescriptorControl ... ' Save control settings in the security descriptor object. ... As with all flag settings, you "And" the property with the appropriate bit ...
(microsoft.public.scripting.vbscript)