[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Active Directory User Object Security Properties

Posted on 2009-04-23
8
Medium Priority
?
600 Views
Last Modified: 2012-06-27
I am looking for a script that will enable all users in my domain to update their own personal information in Active Directory. I have to this point only found scripts that will delegate control over an OU to a user, but not for each individual user to modify their own information.
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_INHERIT_ACE = &H2
 
Set objSdUtil = GetObject("LDAP://OU=Finance, DC=fabrikam,DC=Com")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
 
Set objAce = CreateObject("AccessControlEntry")
 
objAce.Trustee = "FABRIKAM\kmyer"
objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce.ObjectType = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
objACE.InheritedObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce
 
objSD.DiscretionaryAcl = objDacl
 
objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo

Open in new window

0
Comment
Question by:minthor11
  • 4
  • 2
  • 2
8 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24220842
I won't blow smoke about the script - not sure about that.
If the script ends up not doing it for you there are a few third party tools that also fit this need
http://www.directory-update.com/Active_Directory_Update_Home.aspx  -  very good price and a good product
http://www.namescape.com/Products/rDirectory/Default.aspx
I haven't tried rDirectory but have seen it mentioned on other forums.
Thanks
Mike
0
 
LVL 1

Author Comment

by:minthor11
ID: 24221352
Well I was able to kind of work out a solution. I did a search for user objects that were not inheriting attributes from the parent object and corrected all accounts that were safe to modify using Manage Engine's AD Manager Plus. Then I went through and ran the following command on the OUs containing user accounts:

DSACLS "<DISTINGUISHED NAME OF OU>" /G "SELF:RPWP;Personal Information;user" I:S

Open in new window

0
 
LVL 6

Expert Comment

by:bdesmond
ID: 24237236
Out of tge box that permissions is already delegated, so, if it wasn't there, you changed something from the default...

Thanks,
Brian Desmond
Active Directory MVP
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:minthor11
ID: 24238472
Yes and it was only about 5% of the users that had an issue. This setting is required ti publish certificates to the GAL in Outlook 2007. Is there a way to check and see if this is is still automated in AD as we will probably be adding at least 100 (probably more) new users in the upcoming months and they will all need to be able to publish their certs.
0
 
LVL 1

Author Comment

by:minthor11
ID: 24238476
Objection to closure as I am requesting more information.
0
 
LVL 6

Accepted Solution

by:
bdesmond earned 1200 total points
ID: 24238552
What's the adminCount attribute set to on users that have an issue?

Thanks,
Brian Desmond
Active Directory MVP
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 800 total points
ID: 24239062
If what Brian asked you to look at is higher than 0 take a look at this blog entry about adminsdholder
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
Thanks
Mike
0
 
LVL 1

Author Comment

by:minthor11
ID: 24239318
That appears to be what the issue was. I am not quite sure why some of these accounts (including my own) would have an adminCount higher than 0, but they did.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question