bsharath
asked on
Change the security setting for all computers in an OU.
Hi,
Change the security setting for all computers in an OU.
I have the Domain administrator in the security which need be be given full access.
Is there a way a script can change this setting or any tool that can change the access to full access.
I tried "Admodify" but there is no option to change security.
REgards
Sharath
Change the security setting for all computers in an OU.
I have the Domain administrator in the security which need be be given full access.
Is there a way a script can change this setting or any tool that can change the access to full access.
I tried "Admodify" but there is no option to change security.
REgards
Sharath
are you talking about registry settings on each computer, or about an atribute in LDAP/AD?
ASKER
Attributes on the computer object security.
Like when i delete the computer it does not delete the object until it has Domain\administrator full access.
So need to give this access to all the computer objects...
Like when i delete the computer it does not delete the object until it has Domain\administrator full access.
So need to give this access to all the computer objects...
Do you mean when you remove the computer from the domain or when you delete the object in AD?
ASKER
YEs thats right.When i delete it says i dont have permissions.
The Domain admin is a member but not ticked as full access
The Domain admin is a member but not ticked as full access
"When i delete"
when you delete what?
when you delete what?
ASKER
Computer objects.
I have 100's of computer objects that i need to delete from the Active directory console
I have 100's of computer objects that i need to delete from the Active directory console
Sharath, when you say you need to give the domain admin full access.......if it doesn't already *have* full access, what account are you going to use to actually give it full access?
Regards,
Rob.
Regards,
Rob.
ASKER
I have logged in to the Dc with Domain\Administrator account When i select a computer and see the properties its not full access for the computer.So what happens is i am not able to delete the computer.If i go to security and give full access i am able to delete it.So that means that the Domain\administrator has full permissions on the Domain but these computer objects do not have.
I am able to select full access and then delete it...
I am able to select full access and then delete it...
I still don't know what you are doing.
Can you walk us through it step-by-step?
For example:
Log on as DOMAIN\Administrator
Click Start > Run
Type: dsa.msc
Click OK
Expand the domain and OU until you get to the Computer Object you are trying to delete
Right-click on the Computer Object
Click Delete
On the way tell us of any error messages you get.
Is the above example not what you are doing?
Can you walk us through it step-by-step?
For example:
Log on as DOMAIN\Administrator
Click Start > Run
Type: dsa.msc
Click OK
Expand the domain and OU until you get to the Computer Object you are trying to delete
Right-click on the Computer Object
Click Delete
On the way tell us of any error messages you get.
Is the above example not what you are doing?
ASKER
Sharath, you said:
"If i go to security and give full access i am able to delete it."
Are you doing that in ADUC? I cannot see a Security section....if I go to the Properties of a Computer object, I can see these tabs:
Delegation
Location
Managed By
General
Operating System
Member Of
Regards,
Rob.
"If i go to security and give full access i am able to delete it."
Are you doing that in ADUC? I cannot see a Security section....if I go to the Properties of a Computer object, I can see these tabs:
Delegation
Location
Managed By
General
Operating System
Member Of
Regards,
Rob.
ASKER
But i have them... Attached is the screen shot of Computer > Properties...
ScreenShot017.bmp
ScreenShot017.bmp
ASKER
Rob any help on these posts..
https://www.experts-exchange.com/questions/23174538/Find-no-of-hrs-the-machine-is-switched-on-Excel-query-to-get-the-details-of-all-machines-in-Colum-Q.html
https://www.experts-exchange.com/questions/23171436/NT-Logins-created-dates-to-excel-sheet.html
https://www.experts-exchange.com/questions/23171281/Find-the-no-of-days-the-machine-has-contacted-the-Domain.html
https://www.experts-exchange.com/questions/23174538/Find-no-of-hrs-the-machine-is-switched-on-Excel-query-to-get-the-details-of-all-machines-in-Colum-Q.html
https://www.experts-exchange.com/questions/23171436/NT-Logins-created-dates-to-excel-sheet.html
https://www.experts-exchange.com/questions/23171281/Find-the-no-of-days-the-machine-has-contacted-the-Domain.html
Good morning Sharath, I have finally had time to look into this one, and have eventually got something working. I did not realise that to view the other tabs I needed to access ADUC directly from a Domain Controller.
In this script, you need to change the object paths in these lines:
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=C omputers,O U=TestOU," & rootDSE.Get("defaultNaming Context")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNaming Context"))
The rest should take care of itself. At the moment, this will only affect one computer object, and only add one user account to the Security tab. Test this, and then we'll work on getting it to change the Security for all computers in an OU.
Regards,
Rob.
In this script, you need to change the object paths in these lines:
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=C
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNaming
The rest should take care of itself. At the moment, this will only affect one computer object, and only add one user account to the Security tab. Test this, and then we'll work on getting it to change the Security for all computers in an OU.
Regards,
Rob.
' Source: http://msdn2.microsoft.com/en-us/library/ms676884(VS.85).aspx
Const ACL_REVISION_DS = &H4
Dim rootDSE 'As IADs
Dim objectDN 'As String
Dim bResult 'As Boolean
Const ADS_RIGHT_FULL_CONTROL = &HF01FF ' Adds all 13 bits together
Const ADS_RIGHT_READ_PROP = &H10
Const ADS_RIGHT_WRITE_PROP = &H20
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE")
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Internal Mail,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext"))
' Grant trustee the right to read/write any property.
bResult = SetRight(objectDN, _
ADS_RIGHT_FULL_CONTROL, _
ADS_ACETYPE_ACCESS_ALLOWED, _
0, _
vbNullString, _
vbNullString, _
objTrustee.UserPrincipalName) ' Trustee
If bResult = True Then
MsgBox "The trustee can read or write any property."
Else
MsgBox "An error occurred."
End If
Function SetRight(objectDN, accessrights, accesstype, aceinheritflags, objectGUID, inheritedObjectGUID, trustee)
Dim dsobject 'As IADs
Dim sd 'As IADsSecurityDescriptor
Dim dacl 'As IADsAccessControlList
Dim newace 'As New AccessControlEntry
Dim lflags 'As Long
Set newace = CreateObject("AccessControlEntry")
On Error Resume Next
' Bind to the specified object.
Set dsobject = GetObject(objectDN)
' Read the security descriptor on the object.
Set sd = dsobject.Get("ntSecurityDescriptor")
' Get the DACL from the security descriptor.
Set dacl = sd.DiscretionaryAcl
' Set the properties of the new ACE.
newace.AccessMask = accessrights
newace.AceType = accesstype
newace.AceFlags = aceinheritflags
newace.trustee = trustee
' Set the GUID for the object type or inherited object type.
lflags = 0
If Not objectGUID = vbNullString Then
newace.ObjectType = objectGUID
lflags = lflags Or &H1 'ADS_FLAG_OBJECT_TYPE_PRESENT
End If
If Not inheritedObjectGUID = vbNullString Then
newace.InheritedObjectType = inheritedObjectGUID
lflags = lflags Or &H2 'ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
End If
If Not (lflags = 0) Then newace.Flags = lflags
' Set the ACL Revision.
dacl.AclRevision = ACL_REVISION_DS
' Add the ACE to the DACL and to the security descriptor.
dacl.AddAce newace
sd.DiscretionaryAcl = dacl
' Apply it to the object.
dsobject.Put "ntSecurityDescriptor", sd
dsobject.SetInfo
If Err.Number <> 0 Then
Set dsobject = Nothing
Set sd = Nothing
Set dacl = Nothing
Set newace = Nothing
Err.Clear
On Error GoTo 0
SetRight = False
Else
Set dsobject = Nothing
Set sd = Nothing
Set dacl = Nothing
Set newace = Nothing
Err.Clear
On Error GoTo 0
SetRight = True
End If
End Function
ASKER
Rob Good Afternoon
Thanks for all the effort taken today in so many questions of mine... :-)))
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=C omputers,O U=TestOU," & rootDSE.Get
^ Should this be the Computername
("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get
^ Should this be the "Administartor"
("defaultNamingContext"))
My lines look lke this
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE" )
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=DB-QA01,CN=comp uters," & rootDSE.Get("defaultNaming Context")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Admin istrator,C N=Users," & rootDSE.Get("defaultNaming Context"))
Thanks for all the effort taken today in so many questions of mine... :-)))
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=C
^ Should this be the Computername
("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get
^ Should this be the "Administartor"
("defaultNamingContext"))
My lines look lke this
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE"
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=DB-QA01,CN=comp
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Admin
ASKER
Rob Good Afternoon
Thanks for all the effort taken today in so many questions of mine... :-)))
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=C omputers,O U=TestOU," & rootDSE.Get
^ Should this be the Computername
("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get
^ Should this be the "Administartor"
("defaultNamingContext"))
My lines look lke this
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE" )
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=DB-QA01,CN=comp uters," & rootDSE.Get("defaultNaming Context")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Admin istrator,C N=Users," & rootDSE.Get("defaultNaming Context"))
Thanks for all the effort taken today in so many questions of mine... :-)))
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=D09790RING,OU=C
^ Should this be the Computername
("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get
^ Should this be the "Administartor"
("defaultNamingContext"))
My lines look lke this
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE"
' Specify the object to modify the ACL of
objectDN = "LDAP://cn=DB-QA01,CN=comp
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://cn=Admin
Yeah, that looks like it should work to add Administrator to the Security tab of DB-QA01, and I think you'll need to run this directly from a Domain Controller.
Regards,
Rob.
Regards,
Rob.
ASKER
Rob i just get this when run
-------------------------- -
-------------------------- -
The trustee can read or write any property.
-------------------------- -
OK
-------------------------- -
When i check ADUC computer object the Administrator permissions is still the same.
I tried deleting but get the same error.
--------------------------
--------------------------
The trustee can read or write any property.
--------------------------
OK
--------------------------
When i check ADUC computer object the Administrator permissions is still the same.
I tried deleting but get the same error.
ASKER
Rob i just get this when run
-------------------------- -
-------------------------- -
The trustee can read or write any property.
-------------------------- -
OK
-------------------------- -
When i check ADUC computer object the Administrator permissions is still the same.
I tried deleting but get the same error.
--------------------------
--------------------------
The trustee can read or write any property.
--------------------------
OK
--------------------------
When i check ADUC computer object the Administrator permissions is still the same.
I tried deleting but get the same error.
That's not an error....that means the Administrator should have been given full access.....
You would need to run the script from a user profile that has full control over those computer objects.
Rob.
You would need to run the script from a user profile that has full control over those computer objects.
Rob.
ASKER
Rob i am running this script from a Domain Admin login only on the DC.
When i want manually from the same loggin .I am able to set full permissions to the administrator and delete the computer object.
When i want manually from the same loggin .I am able to set full permissions to the administrator and delete the computer object.
ASKER
Rob i am running this script from a Domain Admin login only on the DC.
When i want manually from the same loggin .I am able to set full permissions to the administrator and delete the computer object.
When i want manually from the same loggin .I am able to set full permissions to the administrator and delete the computer object.
That should be fine then. When I run the script logged in as a domain admin, I can add anyone as Full Control using the same script.....I wonder if it's actually modifying it on a different DC.....
Try this to use the DC that you're logged onto.
Regards,
Rob.
Try this to use the DC that you're logged onto.
Regards,
Rob.
' Source: http://msdn2.microsoft.com/en-us/library/ms676884(VS.85).aspx
Const ACL_REVISION_DS = &H4
Dim rootDSE 'As IADs
Dim objectDN 'As String
Dim bResult 'As Boolean
Const ADS_RIGHT_FULL_CONTROL = &HF01FF ' Adds all 13 bits together
Const ADS_RIGHT_READ_PROP = &H10
Const ADS_RIGHT_WRITE_PROP = &H20
Set objNetwork = CreateObject("WScript.Network")
strDCName = objNetwork.ComputerName
' Bind to the Users container in the local domain.
Set rootDSE = GetObject("LDAP://rootDSE")
' Specify the object to modify the ACL of
objectDN = "LDAP://" & strDCName & "/cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext")
' Specify the account to add to the ACL of the above object
Set objTrustee = GetObject("LDAP://" & strDCName & "cn=Internal Mail,OU=Users,OU=TestOU," & rootDSE.Get("defaultNamingContext"))
' Grant trustee the right to read/write any property.
bResult = SetRight(objectDN, _
ADS_RIGHT_FULL_CONTROL, _
ADS_ACETYPE_ACCESS_ALLOWED, _
0, _
vbNullString, _
vbNullString, _
objTrustee.UserPrincipalName) ' Trustee
If bResult = True Then
MsgBox "The trustee can read or write any property."
Else
MsgBox "An error occurred."
End If
Function SetRight(objectDN, accessrights, accesstype, aceinheritflags, objectGUID, inheritedObjectGUID, trustee)
Dim dsobject 'As IADs
Dim sd 'As IADsSecurityDescriptor
Dim dacl 'As IADsAccessControlList
Dim newace 'As New AccessControlEntry
Dim lflags 'As Long
Set newace = CreateObject("AccessControlEntry")
On Error Resume Next
' Bind to the specified object.
Set dsobject = GetObject(objectDN)
' Read the security descriptor on the object.
Set sd = dsobject.Get("ntSecurityDescriptor")
' Get the DACL from the security descriptor.
Set dacl = sd.DiscretionaryAcl
' Set the properties of the new ACE.
newace.AccessMask = accessrights
newace.AceType = accesstype
newace.AceFlags = aceinheritflags
newace.trustee = trustee
' Set the GUID for the object type or inherited object type.
lflags = 0
If Not objectGUID = vbNullString Then
newace.ObjectType = objectGUID
lflags = lflags Or &H1 'ADS_FLAG_OBJECT_TYPE_PRESENT
End If
If Not inheritedObjectGUID = vbNullString Then
newace.InheritedObjectType = inheritedObjectGUID
lflags = lflags Or &H2 'ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
End If
If Not (lflags = 0) Then newace.Flags = lflags
' Set the ACL Revision.
dacl.AclRevision = ACL_REVISION_DS
' Add the ACE to the DACL and to the security descriptor.
dacl.AddAce newace
sd.DiscretionaryAcl = dacl
' Apply it to the object.
dsobject.Put "ntSecurityDescriptor", sd
dsobject.SetInfo
If Err.Number <> 0 Then
Set dsobject = Nothing
Set sd = Nothing
Set dacl = Nothing
Set newace = Nothing
Err.Clear
On Error GoTo 0
SetRight = False
Else
Set dsobject = Nothing
Set sd = Nothing
Set dacl = Nothing
Set newace = Nothing
Err.Clear
On Error GoTo 0
SetRight = True
End If
End Function
ASKER
I got this Rob
-------------------------- -
-------------------------- -
An error occurred.
-------------------------- -
OK
-------------------------- -
--------------------------
--------------------------
An error occurred.
--------------------------
OK
--------------------------
ASKER
I got this Rob
-------------------------- -
-------------------------- -
An error occurred.
-------------------------- -
OK
-------------------------- -
--------------------------
--------------------------
An error occurred.
--------------------------
OK
--------------------------
Under this:
objectDN = "LDAP://" & strDCName & "/cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNaming Context")
add this
Set objObjectToChange = GetObject(objectDN)
If you still get the same error, please comment out this line
On Error Resume Next
so we get more of a description of the error....
Regards,
Rob.
objectDN = "LDAP://" & strDCName & "/cn=Test User 8,OU=Users,OU=TestOU," & rootDSE.Get("defaultNaming
add this
Set objObjectToChange = GetObject(objectDN)
If you still get the same error, please comment out this line
On Error Resume Next
so we get more of a description of the error....
Regards,
Rob.
ASKER
Now i get this...
-------------------------- -
-------------------------- -
The trustee can read or write any property.
-------------------------- -
OK
-------------------------- -
--------------------------
--------------------------
The trustee can read or write any property.
--------------------------
OK
--------------------------
ASKER
Now i get this...
-------------------------- -
-------------------------- -
The trustee can read or write any property.
-------------------------- -
OK
-------------------------- -
--------------------------
--------------------------
The trustee can read or write any property.
--------------------------
OK
--------------------------
Hmmm, every time I get that message "The trustee can read or write any property.", that means that the script finished successfully, and should have updated the security tab. Check that, and if it doesn't reflect, perhaps wait a while for replication to occur.
Regards,
Rob.
Regards,
Rob.
ASKER
Rob already the Domain\administrator is a member .Only the permissions is not checked to full control.All the other options are checked.Does this make any use.
ASKER
Rob already the Domain\administrator is a member .Only the permissions is not checked to full control.All the other options are checked.Does this make any use.
ASKER
No, it shouldn't matter if the user is already there. I tested it by running the script when the user wasn't there, and they appeared with Full Control. Then I took off *some* control, leaving the user there, and when I ran the script again, it was put back to Full Control.......maybe it just takes time.....
Regards,
Rob.
Regards,
Rob.
ASKER
Rob just check but still does not tick the box
Here is a screen shot how this looks
ScreenShot034.bmp
Here is a screen shot how this looks
ScreenShot034.bmp
Oh, so you're doing the Administrators group, not a single user?
I think there might be some inheritace issues there....What if you try a different group, like Domain Admins (they should automatically be part of the Administrators groups anyway).
Regards,
Rob.
I think there might be some inheritace issues there....What if you try a different group, like Domain Admins (they should automatically be part of the Administrators groups anyway).
Regards,
Rob.
ASKER
Thats also fine.
I can do it for "Domain Admins"
I can do it for "Domain Admins"
So that works then? Giving Domain Admins full control would allow you to delete the object wouldn't it?
So if you're happy to use Domain Admins, we can make it run through all objects in an OU....
Regards,
Rob.
So if you're happy to use Domain Admins, we can make it run through all objects in an OU....
Regards,
Rob.
ASKER
Yes Rob Domain Admins worked...
ASKER
Yes Rob Domain Admins worked...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent Rob works great...Thanks...