Granting Write access to a User Object in AD 2000

I want to be able to grant users write access to group/user object in AD using a vb script. I got the below script from the Microsoft website which assigns read/write  Personal Information.
I have tired modifying the script to give write access but have failed each time.

How can I modify the script to apply write access to the group object?

Thanks Kev


Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_INHERIT_ACE = &H2
 
Set objSdUtil = GetObject("LDAP://cn=test_changed_1,ou=Distribution Lists,dc=test,dc=net")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
 
Set objAce = CreateObject("AccessControlEntry")
 
objAce.Trustee = "doamian\username"
objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce.ObjectType = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
objACE.InheritedObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce
 
objSD.DiscretionaryAcl = objDacl
 
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo
msgbox("Finished")

Open in new window

kevarooAsked:
Who is Participating?
 
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Ahh cool :)

There's not a property set for that one, instead we must set ObjectType to the GUID of the Member Attribute, like this:

objAce.ObjectType = "{bf9679c0-0de6-11d0-a285-00aa003049e2}"

Plugging that into the code above means that, for a group, we grant Read and Write access to the member attribute. Allowing us to modify the group membership.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

Hi Kev,

It's actually very easy to make the permission you're setting apply to Group objects. You just need to change this part:

objACE.InheritedObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"

That one contains the GUID of the User Object (as documented in the Schema Reference), if you substitute it for the Group Object the permission will be set to apply to groups:

objACE.InheritedObjectType = "{BF967A9C-0DE6-11D0-A285-00AA003049E2}"

Here's the Schema Reference if you need any other object type GUIDs:

http://msdn2.microsoft.com/en-us/library/ms680938%28VS.85%29.aspx

Is that what you're looking for?

Chris
0
 
kevarooAuthor Commented:
Chris,

I have tried as tyopu have suggested. I still do not get the write access granted on the security tab of the group. If I select advanced it does show the account with write property to the group object, which does not give the level of access required.

How can I assign the write access property so it is shown enabled on the Security tab on the group object?

Kev
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Chris DentPowerShell DeveloperCommented:

That's because by virtue of this line:

objAce.ObjectType = "{77b5b886-944a-11d1-aebd-0000f80367c1}"

You're setting a specific permission that won't appear under the GUI for the group. Exactly which property are you looking to set here? Or just all properties?

Chris
0
 
kevarooAuthor Commented:
I am looking specifically to set the write permission, but would be interested in being able to set other permissions too. Is there a link to a site that provides a list of these GUID?
0
 
kevarooAuthor Commented:
The permission I need to set is the read/write memberof for a group object
0
 
kevarooAuthor Commented:
Thanks again Chris
Your solution has wroked fine.
Cheers Kev
0
All Courses

From novice to tech pro — start learning today.