[ Team LiB ] Previous Section Next Section

23.3 A Complex ACE Example

Example 23-2 shows two further ACEs being created. This time we have included all the constants. This example sets the following ACEs on myOU:

  • No permissions even to see the object for members of DenyGroup.

  • Ability to create, delete, and examine all children of the object for AllowChildGroup.

  • Ability for user Vicky Launders to assume ownership of the Organizational Unit only and not any children.

  • Permission for the user Lee Flight to read and write this OU's description.

  • Permission for the Chris Heaton account to read and write all users' passwords

  • Generation of audit messages for failed access by Everyone to delete the object itself.

  • Generation of audit messages for all modifications to Active Directory by Brian Kerr below this Organizational Unit, but not including this Organizational Unit.

Example 23-2. A complex ACE example
'**************************************************************************
'AccessMask constants
'**************************************************************************
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const FULL_CONTROL = -1
   
'**************************************************************************
'AceType constants
'**************************************************************************
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
   
'**************************************************************************
'AceFlags constants
'**************************************************************************
Const ADS_ACEFLAG_FAILED_ACCESS = &H80
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
Const ADS_ACEFLAG_INHERIT_ACE = &H2
   
'**************************************************************************
'Flags constants
'**************************************************************************
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
   
'**************************************************************************
'Constants representing paths to classes and attributes in the schema
'**************************************************************************
Const USER_PASSWORD_ADSPATH = _
  "LDAP://cn=User-Password,cn=Schema,cn=Configuration,dc=mycorp,dc=com"
Const DESCRIPTION_ADSPATH = _
  "LDAP://cn=Description,cn=Schema,cn=Configuration,dc=mycorp,dc=com"
Const USER_ADSPATH = "LDAP://cn=User,cn=Schema,cn=Configuration,dc=mycorp,dc=com"
   
'**************************************************************************
'Declare general variables
'**************************************************************************
Dim objObject                'The Organizational Unit to bind to
Dim objSecDesc               'SecurityDescriptor
Dim objDACL                  'AccessControlList object containing permission ACEs
Dim objSACL                  'AccessControlList object containing audit ACEs
Dim objNewACE                'AccessControlEntry
Dim objAttributeSchemaObject 'An object representing an attribute in the schema
   
'**************************************************************************
'Get a handle to the DACL of the OU
'**************************************************************************
Set objObject = GetObject ("LDAP://ou=myOU,dc=mycorp,dc=com")
Set objSecDesc = objObject.Get("ntSecurityDescriptor")
Set objDACL = objSecDesc.DiscretionaryAcl
Set objSACL = objSecDesc.SystemAcl
   
'**************************************************************************
'Set no permission to view the object for members of DenyGroup
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
objNewACE.Trustee = "AMER\DenyGroup"
objNewACE.AccessMask = ADS_RIGHT_DS_LIST_OBJECT
objNewACE.AceType = ADS_ACETYPE_ACCESS_DENIED
objNewACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objDACL.AddAce objNewACE
Set objNewACE = Nothing
   
'**************************************************************************
'Ability to create, delete, and examine all children of the object for
'AllowChildGroup
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
objNewACE.Trustee = "AMER\AllowChildGroup"
objNewACE.AccessMask = ADS_RIGHT_ACTRL_DS_LIST + ADS_RIGHT_DS_DELETE_CHILD _
  + ADS_RIGHT_DS_CREATE_CHILD
objNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objNewACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objDACL.AddAce objNewACE
Set objNewACE = Nothing
   
'**************************************************************************
'Ability for user Vicky Launders to assume ownership of the Organizational
'Unit only and not any children
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
AdsACE.Trustee = "cn=Vicky Launders,cn=Users,dc=amer,dc=mycorp,dc=com"
objNewACE.AccessMask = ADS_RIGHT_WRITE_OWNER
objNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objNewACE.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE
objDACL.AddAce objNewACE
Set objNewACE = Nothing
   
'**************************************************************************
'Allowing the Lee Flight account to read and write this OU's description
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
AdsACE.Trustee = "cn=Lee Flight,cn=Users,dc=amer,dc=mycorp,dc=com"
objNewACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP + ADS_RIGHT_DS_READ_PROP
objNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objNewACE.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE
objNewACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
'**************************************************************************
'Retrieve the GUID of the Description class from the schema and place the
'result in the ObjectType property
'**************************************************************************
Set objAttributeSchemaObject = GetObject(DESCRIPTION_ADSPATH)
objNewACE.ObjectType = objAttributeSchemaObject.GUID
   
objDACL.AddAce objNewACE
Set objNewACE = Nothing
   
'**************************************************************************
'Allowing the Chris Heaton account to read and write users' passwords
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
objNewACE.Trustee = "AMER\Chris Heaton"
objNewACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP + ADS_RIGHT_DS_READ_PROP
objNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objNewACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE + ADS_ACEFLAG_INHERIT_ONLY_ACE
objNewACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT _
  + ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
'**************************************************************************
'Retrieve the GUID of the User-Password class from the schema and place 
'the result in the ObjectType property
'**************************************************************************
Set objAttributeSchemaObject = GetObject(USER_PASSWORD_ADSPATH)
objNewACE.ObjectType = objAttributeSchemaObject.GUID
'**************************************************************************
'Retrieve the GUID of the User class from the schema and place the result 
'in the InheritedObjectType property
'**************************************************************************
Set objAttributeSchemaObject = GetObject(USER_ADSPATH)
objNewACE.InheritedObjectType = objAttributeSchemaObject.GUID
   
objDACL.AddAce objNewACE
Set objNewACE = Nothing
   
'**************************************************************************
'Generation of audit messages for failed access by Everyone to delete the
'object itself
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
objNewACE.Trustee = "AMER\Everyone"
objNewACE.AccessMask = ADS_RIGHT_DELETE 
objNewACE.AceType = ADS_ACETYPE_SYSTEM_AUDIT
objNewACE.AceFlags = ADS_ACEFLAG_FAILED_ACCESS _
  + ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE
objSACL.AddAce objNewACE
Set objNewACE = Nothing
   
'**************************************************************************
'Generation of audit messages for successful and failed modifications by 
'Brian Kerr to Active Directory below this Organizational Unit, but 
'not including this Organizational Unit
'**************************************************************************
Set objNewACE = CreateObject("AccessControlEntry")
AdsACE.Trustee = "cn=Brian Kerr,cn=Users,dc=amer,dc=mycorp,dc=com"
objNewACE.AccessMask = FULL_CONTROL
objNewACE.AceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT
objNewACE.AceFlags = ADS_ACEFLAG_FAILED_ACCESS + ADS_ACEFLAG_SUCCESSFUL_ACCESS _
  + ADS_ACEFLAG_INHERIT_ONLY_ACE + ADS_ACEFLAG_INHERIT_ACE
objNewACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objNewACE.ObjectType = vbNull
objSACL.AddAce objNewACE
Set objNewACE = Nothing
   
'**************************************************************************
'Write the newly expanded DACL and SACL to the SD and then out to the AD
'**************************************************************************
objSecDesc.DiscretionaryAcl = objDACL
objSecDesc.SystemAcl = objSACL
objObject.Put "ntSecurityDescriptor", Array(objSecDesc)
objObject.SetInfo

Note that the last two items modify the SACL and not the DACL as they are audit ACEs and not permissions ACEs. You can also see that we have chosen to use DNs and domain accounts for the trustees in the script. Again, as usual in these scripts, there is no error handling. As the SD is not being written until the end of the code, an error causes the entire script to fail.

    [ Team LiB ] Previous Section Next Section