Change the security setting for all computers in an OU.

are you talking about registry settings on each computer, or about an atribute in LDAP/AD?

Attributes on the computer object security.
Like when i delete the computer it does not delete the object until it has Domain\administrator full access.
So need to give this access to all the computer objects...

Do you mean when you remove the computer from the domain or when you delete the object in AD?

YEs thats right.When i delete it says i dont have permissions.
The Domain admin is a member but not ticked as full access

"When i delete"
when you delete what?

Computer objects.
I have 100's of computer objects that i need to delete from the Active directory console

Sharath, when you say you need to give the domain admin full access.......if it doesn't already *have* full access, what account are you going to use to actually give it full access?

Regards,

Rob.

I have logged in to the Dc with Domain\Administrator account When i select a computer and see the properties its not full access for the computer.So what happens is i am not able to delete the computer.If i go to security and give full access i am able to delete it.So that means that the Domain\administrator has full permissions on the Domain but these computer objects do not have.
I am able to select full access and then delete it...

I still don't know what you are doing.

Can you walk us through it step-by-step?

For example:

Log on as DOMAIN\Administrator
Click Start > Run
Type: dsa.msc
Click OK
Expand the domain and OU until you get to the Computer Object you are trying to delete
Right-click on the Computer Object
Click Delete

On the way tell us of any error messages you get.

Is the above example not what you are doing?

lamaslany

This is exactly that i am doing...
I get the attached error..



ScreenShot031.jpg

Sharath, you said:
"If i go to security and give full access i am able to delete it."

Are you doing that in ADUC?  I cannot see a Security section....if I go to the Properties of a Computer object, I can see these tabs:
Delegation
Location
Managed By
General
Operating System
Member Of

Regards,

Rob.

But i have them... Attached is the screen shot of Computer > Properties...
ScreenShot017.bmp

Rob any help on these posts..
https://www.experts-exchange.com/questions/23174538/Find-no-of-hrs-the-machine-is-switched-on-Excel-query-to-get-the-details-of-all-machines-in-Colum-Q.html
https://www.experts-exchange.com/questions/23171436/NT-Logins-created-dates-to-excel-sheet.html
https://www.experts-exchange.com/questions/23171281/Find-the-no-of-days-the-machine-has-contacted-the-Domain.html

Good morning Sharath, I have finally had time to look into this one, and have eventually got something working.  I did not realise that to view the other tabs I needed to access ADUC directly from a Domain Controller.

In this script, you need to change the object paths in these lines:

' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=Computers,OU=TestOU," & rootDSE.Get("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext"))

The rest should take care of itself.  At the moment, this will only affect one computer object, and only add one user account to the Security tab.  Test this, and then we'll work on getting it to change the Security for all computers in an OU.

Regards,

Rob.

' Source: http://msdn2.microsoft.com/en-us/library/ms676884(VS.85).aspx
 
Const ACL_REVISION_DS = &H4
 
Dim rootDSE 'As IADs
Dim objectDN 'As String
Dim bResult 'As Boolean
Const ADS_RIGHT_FULL_CONTROL = &HF01FF ' Adds all 13 bits together
Const ADS_RIGHT_READ_PROP = &H10
Const ADS_RIGHT_WRITE_PROP = &H20
 
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE")
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Internal Mail,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext"))
 
' Grant trustee the right to read/write any property.
bResult = SetRight(objectDN, _
		ADS_RIGHT_FULL_CONTROL, _
 		ADS_ACETYPE_ACCESS_ALLOWED, _
  		0, _
  		vbNullString, _
  		vbNullString, _
  		objTrustee.UserPrincipalName) ' Trustee
 
If bResult = True Then
    MsgBox "The trustee can read or write any property."
Else
    MsgBox "An error occurred."
End If
 
 
Function SetRight(objectDN, accessrights, accesstype, aceinheritflags, objectGUID, inheritedObjectGUID, trustee)
 
	Dim dsobject 'As IADs
	Dim sd 'As IADsSecurityDescriptor
	Dim dacl 'As IADsAccessControlList
	Dim newace 'As New AccessControlEntry
	Dim lflags 'As Long
	
	Set newace = CreateObject("AccessControlEntry")
	
	On Error Resume Next
	 
	' Bind to the specified object.
	Set dsobject = GetObject(objectDN)
	 
	' Read the security descriptor on the object.
	Set sd = dsobject.Get("ntSecurityDescriptor")
	 
	' Get the DACL from the security descriptor.
	Set dacl = sd.DiscretionaryAcl
	 
	' Set the properties of the new ACE.
	newace.AccessMask = accessrights
	newace.AceType = accesstype
	newace.AceFlags = aceinheritflags
	newace.trustee = trustee
	 
	' Set the GUID for the object type or inherited object type.
	lflags = 0
	
	If Not objectGUID = vbNullString Then
	   newace.ObjectType = objectGUID
	   lflags = lflags Or &H1 'ADS_FLAG_OBJECT_TYPE_PRESENT
	End If
	
	If Not inheritedObjectGUID = vbNullString Then
	   newace.InheritedObjectType = inheritedObjectGUID
	   lflags = lflags Or &H2 'ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
	End If
	
	If Not (lflags = 0) Then newace.Flags = lflags
	 
	' Set the ACL Revision.
	dacl.AclRevision = ACL_REVISION_DS
	
	' Add the ACE to the DACL and to the security descriptor.
	dacl.AddAce newace
	sd.DiscretionaryAcl = dacl
	 
	' Apply it to the object.
	dsobject.Put "ntSecurityDescriptor", sd
	dsobject.SetInfo
	If Err.Number <> 0 Then
		Set dsobject = Nothing
		Set sd = Nothing
		Set dacl = Nothing
		Set newace = Nothing
		Err.Clear
		On Error GoTo 0
		SetRight = False
	Else
		Set dsobject = Nothing
		Set sd = Nothing
		Set dacl = Nothing
		Set newace = Nothing
		Err.Clear
		On Error GoTo 0
		SetRight = True
	End If
		
End Function

Select allOpen in new window

Rob Good Afternoon
Thanks for all the effort taken today in so many questions of mine... :-)))

' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=Computers,OU=TestOU," & rootDSE.Get
                                 ^ Should this be the Computername
("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get
                                                                    ^ Should this be the "Administartor"  
("defaultNamingContext"))



My lines look lke this
 
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE")
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=DB-QA01,CN=computers," & rootDSE.Get("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Administrator,CN=Users," & rootDSE.Get("defaultNamingContext"))

Rob Good Afternoon
Thanks for all the effort taken today in so many questions of mine... :-)))

' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=Computers,OU=TestOU," & rootDSE.Get
                                 ^ Should this be the Computername
("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get
                                                                    ^ Should this be the "Administartor"  
("defaultNamingContext"))



My lines look lke this
 
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE")
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=DB-QA01,CN=computers," & rootDSE.Get("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Administrator,CN=Users," & rootDSE.Get("defaultNamingContext"))

Yeah, that looks like it should work to add Administrator to the Security tab of DB-QA01, and I think you'll need to run this directly from a Domain Controller.

Regards,

Rob.

Rob i just get this when run
---------------------------

---------------------------
The trustee can read or write any property.
---------------------------
OK  
---------------------------

When i check ADUC computer object the Administrator permissions is still the same.
I tried deleting but get the same error.

Rob i just get this when run
---------------------------

---------------------------
The trustee can read or write any property.
---------------------------
OK  
---------------------------

When i check ADUC computer object the Administrator permissions is still the same.
I tried deleting but get the same error.

That's not an error....that means the Administrator should have been given full access.....

You would need to run the script from a user profile that has full control over those computer objects.

Rob.

Rob i am running this script from a Domain Admin login only on the DC.
When i want manually from the same loggin .I am able to set full permissions to the administrator and delete the computer object.

Rob i am running this script from a Domain Admin login only on the DC.
When i want manually from the same loggin .I am able to set full permissions to the administrator and delete the computer object.

That should be fine then.  When I run the script logged in as a domain admin, I can add anyone as Full Control using the same script.....I wonder if it's actually modifying it on a different DC.....

Try this to use the DC that you're logged onto.

Regards,

Rob.

' Source: http://msdn2.microsoft.com/en-us/library/ms676884(VS.85).aspx
 
Const ACL_REVISION_DS = &H4
 
Dim rootDSE 'As IADs
Dim objectDN 'As String
Dim bResult 'As Boolean
Const ADS_RIGHT_FULL_CONTROL = &HF01FF ' Adds all 13 bits together
Const ADS_RIGHT_READ_PROP = &H10
Const ADS_RIGHT_WRITE_PROP = &H20
 
Set objNetwork = CreateObject("WScript.Network")
strDCName = objNetwork.ComputerName
 
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE")
' Specify the object to modify the ACL of
objectDN = "LDAP://" & strDCName & "/cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://" & strDCName & "cn=Internal Mail,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext"))
 
' Grant trustee the right to read/write any property.
bResult = SetRight(objectDN, _
		ADS_RIGHT_FULL_CONTROL, _
 		ADS_ACETYPE_ACCESS_ALLOWED, _
  		0, _
  		vbNullString, _
  		vbNullString, _
  		objTrustee.UserPrincipalName) ' Trustee
 
If bResult = True Then
    MsgBox "The trustee can read or write any property."
Else
    MsgBox "An error occurred."
End If
 
 
Function SetRight(objectDN, accessrights, accesstype, aceinheritflags, objectGUID, inheritedObjectGUID, trustee)
 
	Dim dsobject 'As IADs
	Dim sd 'As IADsSecurityDescriptor
	Dim dacl 'As IADsAccessControlList
	Dim newace 'As New AccessControlEntry
	Dim lflags 'As Long
	
	Set newace = CreateObject("AccessControlEntry")
	
	On Error Resume Next
	 
	' Bind to the specified object.
	Set dsobject = GetObject(objectDN)
	 
	' Read the security descriptor on the object.
	Set sd = dsobject.Get("ntSecurityDescriptor")
	 
	' Get the DACL from the security descriptor.
	Set dacl = sd.DiscretionaryAcl
	 
	' Set the properties of the new ACE.
	newace.AccessMask = accessrights
	newace.AceType = accesstype
	newace.AceFlags = aceinheritflags
	newace.trustee = trustee
	 
	' Set the GUID for the object type or inherited object type.
	lflags = 0
	
	If Not objectGUID = vbNullString Then
	   newace.ObjectType = objectGUID
	   lflags = lflags Or &H1 'ADS_FLAG_OBJECT_TYPE_PRESENT
	End If
	
	If Not inheritedObjectGUID = vbNullString Then
	   newace.InheritedObjectType = inheritedObjectGUID
	   lflags = lflags Or &H2 'ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
	End If
	
	If Not (lflags = 0) Then newace.Flags = lflags
	 
	' Set the ACL Revision.
	dacl.AclRevision = ACL_REVISION_DS
	
	' Add the ACE to the DACL and to the security descriptor.
	dacl.AddAce newace
	sd.DiscretionaryAcl = dacl
	 
	' Apply it to the object.
	dsobject.Put "ntSecurityDescriptor", sd
	dsobject.SetInfo
	If Err.Number <> 0 Then
		Set dsobject = Nothing
		Set sd = Nothing
		Set dacl = Nothing
		Set newace = Nothing
		Err.Clear
		On Error GoTo 0
		SetRight = False
	Else
		Set dsobject = Nothing
		Set sd = Nothing
		Set dacl = Nothing
		Set newace = Nothing
		Err.Clear
		On Error GoTo 0
		SetRight = True
	End If
		
End Function

Select allOpen in new window

I got this Rob
---------------------------

---------------------------
An error occurred.
---------------------------
OK  
---------------------------

I got this Rob
---------------------------

---------------------------
An error occurred.
---------------------------
OK  
---------------------------

Under this:
objectDN = "LDAP://" & strDCName & "/cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext")

add this
Set objObjectToChange = GetObject(objectDN)

If you still get the same error, please comment out this line
   On Error Resume Next

so we get more of a description of the error....

Regards,

Rob.

Now i get this...
---------------------------

---------------------------
The trustee can read or write any property.
---------------------------
OK  
---------------------------

Now i get this...
---------------------------

---------------------------
The trustee can read or write any property.
---------------------------
OK  
---------------------------

Hmmm, every time I get that message "The trustee can read or write any property.", that means that the script finished successfully, and should have updated the security tab.  Check that, and if it doesn't reflect, perhaps wait a while for replication to occur.

Regards,

Rob.

Rob already the Domain\administrator is a member .Only the permissions is not checked to full control.All the other options are checked.Does this make any use.

Rob already the Domain\administrator is a member .Only the permissions is not checked to full control.All the other options are checked.Does this make any use.

Any views on this please..
https://www.experts-exchange.com/questions/23207169/Any-help-on-HP-OV-application-scripting-to-assign-calls-automatically.html
https://www.experts-exchange.com/questions/23118691/Script-to-login-to-a-website-and-pass-the-data-and-get-the-results-to-a-file.html

No, it shouldn't matter if the user is already there.  I tested it by running the script when the user wasn't there, and they appeared with Full Control.  Then I took off *some* control, leaving the user there, and when I ran the script again, it was put back to Full Control.......maybe it just takes time.....

Regards,

Rob.

Rob just check but still does not tick the box
Here is a screen shot how this looks
ScreenShot034.bmp

Oh, so you're doing the Administrators group, not a single user?

I think there might be some inheritace issues there....What if you try a different group, like Domain Admins (they should automatically be part of the Administrators groups anyway).

Regards,

Rob.

Thats also fine.
I can do it for "Domain Admins"

So that works then? Giving Domain Admins full control would allow you to delete the object wouldn't it?

So if you're happy to use Domain Admins, we can make it run through all objects in an OU....

Regards,

Rob.

Yes Rob Domain Admins worked...

Yes Rob Domain Admins worked...

Excellent Rob works great...Thanks...