?
Solved

Active Directory Permissions using Vbscript

Posted on 2011-04-20
5
Medium Priority
?
1,460 Views
Last Modified: 2012-05-11
We are trying to provide access to a group on some of the Active Directory ID's for unlocking those accounts. For that we need to provide write access to the lockout-time attribute.

We have created a script for the same because the number of accounts are more and those are in different OU's.

We have created a below script but it is giving the error "Code  Error 800A01AD - ActiveX component can't create object"

The script is as below.

=============================================================================
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2

Set objSdUtil = GetObject("LDAP://CN=Rob Young, OU=Finance, DC=fabrikam,DC=Com")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL

Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = "FABRIKAM\UserGroup"
objAce.AceFlags = 0
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objAce.ObjectType = "{848B19E1-6335-4F93-ADA1510D63F1FDC7}"
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl

objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo
=============================================================================

The GUID is for Lockout-time attribute which I got from somewhere.

Please suggest
0
Comment
Question by:Neo_78
  • 3
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Tony Massa
ID: 35432781
You have to be aware of the AdminSDHolder and SDProp process.  Any account that has been an admin will have permission reset every hour if the adminCount attribute is set to "1".
http://support.microsoft.com/kb/306398
http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

Here's how you can delegate the right
http://support.microsoft.com/kb/279723/en-us
0
 

Author Comment

by:Neo_78
ID: 35440357


Thanks "tmassa99". This is absolutely perfect but is there a way to create a script and run this command against a set of ID's which we will note in txt file. I have tried the below script but it is saying File not found. Accounts.txt file is there in the desktop and it contains the full DN of the user ID's.





==============================================================================
Set objShell = CreateObject("Wscript.Shell")
Set oFso = CreateObject("Scripting.FileSystemObject")
sDesktop = objShell.SpecialFolders("Desktop")
spath = sDesktop & "\Accounts.txt"
Set oT = oFso.OpenTextFile(spath,1)
Do Until oT.AtEndofStream
  sReadfromFile = oT.ReadLine()
  strUser = Trim(temp)
 
objShell.run "dsacls" & strComputer & "/I:s /G Domain\Username:rpwp;lockoutTime;user"
Loop

=============================================================================
0
 
LVL 17

Expert Comment

by:Tony Massa
ID: 35440576
The DSACLS command should be in the following syntax

DSACLS cn=object,ou=ToSet,ou=Permissions,ou=ON,dc=yourdomain,dc=org /I:S /G "DOMAIN\Group WithSpace":rpwp;lockoutTime;user

you have strComputer in the command, but that variable doesn't exist.

What does your Accounts.txt file contain?  sAMAccountNames?
0
 

Accepted Solution

by:
Neo_78 earned 0 total points
ID: 35440717
The variable is defined as Struser and the same is mentioned in command also. I frgot to change in the post above.

Secondly the txt file contains distinguishedName of the accounts.

Also the permission which I am setting is getting applied but the admin user is not able to unlock the account. It is grayed out. I have checked the command is to apply the changes to User object ( rpwp;lockoutTime;user) but when I am manually doing it to apply changes to "this object and all th child objects" the admin is able to unlock the account.

Is there a way to configure that usin the dsacls command instead of user parameter at last.

0
 

Author Closing Comment

by:Neo_78
ID: 35821572
As no solution provided we want to close the question
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question