We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Active Directory Permissions using Vbscript

Medium Priority
1,646 Views
Last Modified: 2012-05-11
We are trying to provide access to a group on some of the Active Directory ID's for unlocking those accounts. For that we need to provide write access to the lockout-time attribute.

We have created a script for the same because the number of accounts are more and those are in different OU's.

We have created a below script but it is giving the error "Code  Error 800A01AD - ActiveX component can't create object"

The script is as below.

=============================================================================
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2

Set objSdUtil = GetObject("LDAP://CN=Rob Young, OU=Finance, DC=fabrikam,DC=Com")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL

Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = "FABRIKAM\UserGroup"
objAce.AceFlags = 0
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objAce.ObjectType = "{848B19E1-6335-4F93-ADA1510D63F1FDC7}"
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl

objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo
=============================================================================

The GUID is for Lockout-time attribute which I got from somewhere.

Please suggest
Comment
Watch Question

CERTIFIED EXPERT

Commented:
You have to be aware of the AdminSDHolder and SDProp process.  Any account that has been an admin will have permission reset every hour if the adminCount attribute is set to "1".
http://support.microsoft.com/kb/306398
http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

Here's how you can delegate the right
http://support.microsoft.com/kb/279723/en-us

Author

Commented:


Thanks "tmassa99". This is absolutely perfect but is there a way to create a script and run this command against a set of ID's which we will note in txt file. I have tried the below script but it is saying File not found. Accounts.txt file is there in the desktop and it contains the full DN of the user ID's.





==============================================================================
Set objShell = CreateObject("Wscript.Shell")
Set oFso = CreateObject("Scripting.FileSystemObject")
sDesktop = objShell.SpecialFolders("Desktop")
spath = sDesktop & "\Accounts.txt"
Set oT = oFso.OpenTextFile(spath,1)
Do Until oT.AtEndofStream
  sReadfromFile = oT.ReadLine()
  strUser = Trim(temp)
 
objShell.run "dsacls" & strComputer & "/I:s /G Domain\Username:rpwp;lockoutTime;user"
Loop

=============================================================================
CERTIFIED EXPERT

Commented:
The DSACLS command should be in the following syntax

DSACLS cn=object,ou=ToSet,ou=Permissions,ou=ON,dc=yourdomain,dc=org /I:S /G "DOMAIN\Group WithSpace":rpwp;lockoutTime;user

you have strComputer in the command, but that variable doesn't exist.

What does your Accounts.txt file contain?  sAMAccountNames?
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
As no solution provided we want to close the question
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.