Active Directory Permissions using Vbscript

Posted on 2011-04-20
Last Modified: 2012-05-11
We are trying to provide access to a group on some of the Active Directory ID's for unlocking those accounts. For that we need to provide write access to the lockout-time attribute.

We have created a script for the same because the number of accounts are more and those are in different OU's.

We have created a below script but it is giving the error "Code  Error 800A01AD - ActiveX component can't create object"

The script is as below.


Set objSdUtil = GetObject("LDAP://CN=Rob Young, OU=Finance, DC=fabrikam,DC=Com")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL

Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = "FABRIKAM\UserGroup"
objAce.AceFlags = 0
objAce.ObjectType = "{848B19E1-6335-4F93-ADA1510D63F1FDC7}"
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl

objSDUtil.Put "ntSecurityDescriptor", Array(objSD)

The GUID is for Lockout-time attribute which I got from somewhere.

Please suggest
Question by:Neo_78
    LVL 17

    Expert Comment

    by:Tony Massa
    You have to be aware of the AdminSDHolder and SDProp process.  Any account that has been an admin will have permission reset every hour if the adminCount attribute is set to "1".

    Here's how you can delegate the right

    Author Comment


    Thanks "tmassa99". This is absolutely perfect but is there a way to create a script and run this command against a set of ID's which we will note in txt file. I have tried the below script but it is saying File not found. Accounts.txt file is there in the desktop and it contains the full DN of the user ID's.

    Set objShell = CreateObject("Wscript.Shell")
    Set oFso = CreateObject("Scripting.FileSystemObject")
    sDesktop = objShell.SpecialFolders("Desktop")
    spath = sDesktop & "\Accounts.txt"
    Set oT = oFso.OpenTextFile(spath,1)
    Do Until oT.AtEndofStream
      sReadfromFile = oT.ReadLine()
      strUser = Trim(temp)
 "dsacls" & strComputer & "/I:s /G Domain\Username:rpwp;lockoutTime;user"

    LVL 17

    Expert Comment

    by:Tony Massa
    The DSACLS command should be in the following syntax

    DSACLS cn=object,ou=ToSet,ou=Permissions,ou=ON,dc=yourdomain,dc=org /I:S /G "DOMAIN\Group WithSpace":rpwp;lockoutTime;user

    you have strComputer in the command, but that variable doesn't exist.

    What does your Accounts.txt file contain?  sAMAccountNames?

    Accepted Solution

    The variable is defined as Struser and the same is mentioned in command also. I frgot to change in the post above.

    Secondly the txt file contains distinguishedName of the accounts.

    Also the permission which I am setting is getting applied but the admin user is not able to unlock the account. It is grayed out. I have checked the command is to apply the changes to User object ( rpwp;lockoutTime;user) but when I am manually doing it to apply changes to "this object and all th child objects" the admin is able to unlock the account.

    Is there a way to configure that usin the dsacls command instead of user parameter at last.


    Author Closing Comment

    As no solution provided we want to close the question

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now