Link to home
Create AccountLog in
Avatar of jamiepryer
jamiepryerFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Reading Active Directory OU Advanced Security Settings

Hi,
im trying to write a script to pull off the SACL of all OU from Active directory for audit purposes.
Ive found some useful information about this however whenever i test the scripts i get errors and i think its because of permissions

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html

http://gallery.technet.microsoft.com/scriptcenter/en-us/42c14081-e568-486e-a2d2-176019810cf6


However when i use "active directory explorer" i am able to go into the properities of an OU and then get the advanced information on teh Security tab, showing me this information.

Am i doing something wrong?
Is there a simply way i can get this information with an LDAP query to dump it out into excel?

in the code below, i cant get past

intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

as this is where i get the error "The directory property cannot be found in the cache" which apparently means i dont have the correct permissions?!
Const SE_SACL_PROTECTED = &H2000  
Const ADS_SECURITY_INFO_OWNER = &H1  
Const ADS_SECURITY_INFO_GROUP = &H2 
Const ADS_OPTION_SECURITY_MASK =&H3 
Const ADS_SECURITY_INFO_DACL = &H4  
Const ADS_SECURITY_INFO_SACL = &H8 
  
Set objContainer = GetObject _ 
    ("LDAP://ou=Sales,dc=NA,dc=fabrikam,dc=com") 
  
objContainer.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _ 
    Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _ 
    Or ADS_SECURITY_INFO_SACL 
   
Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor") 
  
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control 
  
WScript.Echo "Auditing Tab" 
strMessage = "Allow inheritable auditing entries from" & _  
    "the parent to propogate to this object and all child objects " 
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then 
    Wscript.Echo strMessage & "is disabled." 
Else 
    WScript.Echo strMessage & "is enabled." 
End If 
WScript.Echo  
  
Set objSacl = objNtSecurityDescriptor.SystemAcl 
DisplayAceInformation objSacl, "SACL" 
  
Sub DisplayAceInformation(SecurityStructure, strType) 
    Const ADS_ACETYPE_SYSTEM_AUDIT = &H2  
    Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7  
   
    intAceCount = 0 
    For Each objAce In SecurityStructure 
        strTrustee = Mid(objAce.Trustee,1,12) 
        If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then 
            intAceCount = intAceCount + 1 
            WScript.Echo strType & " permission entry: " & intAceCount 
            WScript.Echo "Name: " & objAce.Trustee 
  
            intAceType = objAce.AceType 
            WScript.Echo "ACETYPE IS: " & intAceType 
            If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _ 
                intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then 
                WScript.StdOut.Write "Type: Success or Failure Audit" 
            Else 
                WScript.StdOut.Write "Audit Type Unknown." 
            End If 
            ReadBitsInAccessMask(objAce.AccessMask) 
            WScript.Echo  
        End If 
    Next 
End Sub 
  
Sub ReadBitsInAccessMask(AccessMask) 
    Const ADS_RIGHT_DELETE = &H10000 
    Const ADS_RIGHT_READ_CONTROL = &H20000 
    Const ADS_RIGHT_WRITE_DAC = &H40000 
    Const ADS_RIGHT_WRITE_OWNER = &H80000 
    Const ADS_RIGHT_DS_CREATE_CHILD = &H1 
    Const ADS_RIGHT_DS_DELETE_CHILD = &H2 
    Const ADS_RIGHT_ACTRL_DS_LIST = &H4 
    Const ADS_RIGHT_DS_SELF = &H8 
    Const ADS_RIGHT_DS_READ_PROP = &H10 
    Const ADS_RIGHT_DS_WRITE_PROP = &H20 
    Const ADS_RIGHT_DS_DELETE_TREE = &H40 
    Const ADS_RIGHT_DS_LIST_OBJECT = &H80 
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 
  
    WScript.Echo VbCrLf & "Standard Access Rights" 
    If (AccessMask And ADS_RIGHT_DELETE) Then _ 
        WScript.Echo vbTab & "-Delete an object." 
    If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _ 
        WScript.Echo vbTab & "-Read permissions." 
    If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _ 
        WScript.Echo vbTab & "-Write permissions." 
    If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _ 
        WScript.Echo vbTab & "-Modify owner." 
   
    WScript.Echo VbCrLf & "Directory Service Specific Access Rights" 
    If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _ 
        WScript.Echo vbTab & "-Create child objects." 
    If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _ 
        WScript.Echo vbTab & "-Delete child objects." 
    If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _ 
        WScript.Echo vbTab & "-Enumerate an object." 
    If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _ 
        WScript.Echo vbTab & "-Read the properties of an object." 
    If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _ 
        WScript.Echo vbTab & "-Write the properties of an object." 
    If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _ 
        WScript.Echo vbTab & "-Delete a tree of objects" 
    If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _ 
        WScript.Echo vbTab & "-List a tree of objects." 
  
    WScript.Echo VbCrLf & "Control Access Rights" 
    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _ 
        (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then 
            WScript.Echo "-None" 
    Else  
        If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _ 
            WScript.Echo vbTab & "-Extended access rights." 
        If (AccessMask And ADS_RIGHT_DS_SELF) Then 
            WScript.Echo vbTab & "-Active Directory must validate a property " 
            WScript.Echo vbTab & " write operation beyond the schema " & _ 
                "definition " 
            WScript.Echo vbTab & " for the attribute." 
        End If 
    End If 
End Sub

Open in new window

Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Hi,

what if you use in command-line tool which can simply do that for you? :)

dsacls "ou=OU_name,dc=domain,dc=local"

Regards,
Krzysztof
Avatar of jamiepryer

ASKER

dsacls is not recognised?
Try below hope this will work for you. (edit whereever require).

Const SE_SACL_PROTECTED = &H2000
Const ADS_SECURITY_INFO_OWNER = &H1
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_OPTION_SECURITY_MASK =&H3
Const ADS_SECURITY_INFO_DACL = &H4
Const ADS_SECURITY_INFO_SACL = &H8
 
Set objContainer = GetObject _
    ("LDAP://ou=Sales,dc=YourCompanyDC,dc=fabrikam,dc=com")
 
objContainer.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _
    Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _
    Or ADS_SECURITY_INFO_SACL
 
Set objNtSecurityDescriptor = objContainer.Get("ntSecurityDescriptor")
 
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
 
WScript.Echo "Auditing Tab"
strMessage = "Allow inheritable auditing entries from" & _
    "the parent to propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then
    Wscript.Echo strMessage & "is disabled."
Else
    WScript.Echo strMessage & "is enabled."
End If
WScript.Echo
 
Set objSacl = objNtSecurityDescriptor.SystemAcl
DisplayAceInformation objSacl, "SACL"
 
Sub DisplayAceInformation(SecurityStructure, strType)
    Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
    Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
 
    intAceCount = 0
    For Each objAce In SecurityStructure
        strTrustee = Mid(objAce.Trustee,1,12)
        If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
            intAceCount = intAceCount + 1
            WScript.Echo strType & " permission entry: " & intAceCount
            WScript.Echo "Name: " & objAce.Trustee
 
            intAceType = objAce.AceType
            WScript.Echo "ACETYPE IS: " & intAceType
            If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _
                intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then
                WScript.StdOut.Write "Type: Success or Failure Audit"
            Else
                WScript.StdOut.Write "Audit Type Unknown."
            End If
            ReadBitsInAccessMask(objAce.AccessMask)
            WScript.Echo
        End If
    Next
End Sub
 
Sub ReadBitsInAccessMask(AccessMask)
    Const ADS_RIGHT_DELETE = &H10000
    Const ADS_RIGHT_READ_CONTROL = &H20000
    Const ADS_RIGHT_WRITE_DAC = &H40000
    Const ADS_RIGHT_WRITE_OWNER = &H80000
    Const ADS_RIGHT_DS_CREATE_CHILD = &H1
    Const ADS_RIGHT_DS_DELETE_CHILD = &H2
    Const ADS_RIGHT_ACTRL_DS_LIST = &H4
    Const ADS_RIGHT_DS_SELF = &H8
    Const ADS_RIGHT_DS_READ_PROP = &H10
    Const ADS_RIGHT_DS_WRITE_PROP = &H20
    Const ADS_RIGHT_DS_DELETE_TREE = &H40
    Const ADS_RIGHT_DS_LIST_OBJECT = &H80
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
 
    WScript.Echo VbCrLf & "Standard Access Rights"
    If (AccessMask And ADS_RIGHT_DELETE) Then _
        WScript.Echo vbTab & "-Delete an object."
    If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
        WScript.Echo vbTab & "-Read permissions."
    If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
        WScript.Echo vbTab & "-Write permissions."
    If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
        WScript.Echo vbTab & "-Modify owner."
 
    WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
    If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
        WScript.Echo vbTab & "-Create child objects."
    If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
        WScript.Echo vbTab & "-Delete child objects."
    If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
        WScript.Echo vbTab & "-Enumerate an object."
    If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
        WScript.Echo vbTab & "-Read the properties of an object."
    If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
        WScript.Echo vbTab & "-Write the properties of an object."
    If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
        WScript.Echo vbTab & "-Delete a tree of objects"
    If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
        WScript.Echo vbTab & "-List a tree of objects."
 
    WScript.Echo VbCrLf & "Control Access Rights"
    If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
        (AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
            WScript.Echo "-None"
    Else
        If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
            WScript.Echo vbTab & "-Extended access rights."
        If (AccessMask And ADS_RIGHT_DS_SELF) Then
            WScript.Echo vbTab & "-Active Directory must validate a property "
            WScript.Echo vbTab & " write operation beyond the schema " & _
                "definition "
            WScript.Echo vbTab & " for the attribute."
        End If
    End If
End Sub

Hope this works, reply if it works or not
OK, you need to install on your workstation Windows 2003 Server Support Tools Pack from its CD#1
or type this command on DC :)

Krzysztof
isiek - i cant do that im afraid!

Ahmed786: - doesnt work, is that not just exactly the same code that i posted up?
What do you afraid of ? When you install Support Tools Pack nothing wrong happens. DSACLS without any parameters works in read-only mode and its native Microsoft tool, so IMHO it's more secure that VBS script :)

Krzysztof
the thing is that i need a vbs script so i can kick this info out into excel to be used for analysis
When you run the script, are you sure you're running it as a Domain Administrator?  When you run it, what errors do you get, and what line is it?

Rob.
nope
just as a normal user - have you got to be a DA then to do this?
ASKER CERTIFIED SOLUTION
Avatar of RobSampson
RobSampson
Flag of Australia image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
thanks for the info, cant get DA access, so have to close this down