Granting Write access to a User Object in AD 2000

I want to be able to grant users write access to group/user object in AD using a vb script. I got the below script from the Microsoft website which assigns read/write  Personal Information.
I have tired modifying the script to give write access but have failed each time.

How can I modify the script to apply write access to the group object?

Thanks Kev


Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_INHERIT_ACE = &H2
 
Set objSdUtil = GetObject("LDAP://cn=test_changed_1,ou=Distribution Lists,dc=test,dc=net")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
 
Set objAce = CreateObject("AccessControlEntry")
 
objAce.Trustee = "doamian\username"
objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce.ObjectType = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
objACE.InheritedObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce
 
objSD.DiscretionaryAcl = objDacl
 
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo
msgbox("Finished")

Open in new window

kevarooAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

Hi Kev,

It's actually very easy to make the permission you're setting apply to Group objects. You just need to change this part:

objACE.InheritedObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"

That one contains the GUID of the User Object (as documented in the Schema Reference), if you substitute it for the Group Object the permission will be set to apply to groups:

objACE.InheritedObjectType = "{BF967A9C-0DE6-11D0-A285-00AA003049E2}"

Here's the Schema Reference if you need any other object type GUIDs:

http://msdn2.microsoft.com/en-us/library/ms680938%28VS.85%29.aspx

Is that what you're looking for?

Chris
0
kevarooAuthor Commented:
Chris,

I have tried as tyopu have suggested. I still do not get the write access granted on the security tab of the group. If I select advanced it does show the account with write property to the group object, which does not give the level of access required.

How can I assign the write access property so it is shown enabled on the Security tab on the group object?

Kev
0
Chris DentPowerShell DeveloperCommented:

That's because by virtue of this line:

objAce.ObjectType = "{77b5b886-944a-11d1-aebd-0000f80367c1}"

You're setting a specific permission that won't appear under the GUI for the group. Exactly which property are you looking to set here? Or just all properties?

Chris
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

kevarooAuthor Commented:
I am looking specifically to set the write permission, but would be interested in being able to set other permissions too. Is there a link to a site that provides a list of these GUID?
0
kevarooAuthor Commented:
The permission I need to set is the read/write memberof for a group object
0
Chris DentPowerShell DeveloperCommented:

Ahh cool :)

There's not a property set for that one, instead we must set ObjectType to the GUID of the Member Attribute, like this:

objAce.ObjectType = "{bf9679c0-0de6-11d0-a285-00aa003049e2}"

Plugging that into the code above means that, for a group, we grant Read and Write access to the member attribute. Allowing us to modify the group membership.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kevarooAuthor Commented:
Thanks again Chris
Your solution has wroked fine.
Cheers Kev
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.