Discussion:
Extended rights and ACEs permission issue in Active Directory.
(too old to reply)
Sabbs (Jon Sabberton)
2005-02-27 14:37:03 UTC
Permalink
Dear all

I'm having a problem in a vbscript where I'm trying to apply a single
extended right. I have the correct rightsguid (from Best Practices for
Delegating Active Directory Administration Appendix D Active Directory
Extended Rights) but on the object I'm applying permissions to
(cn=schema,cn=configuration, dc=dcukrsql,dc=local) applies all of the
extended rights on that object instead of just the one I've specified (which
is Change Schema Master).

I look forward to someone pointing out the error I've made. Please see the
code attached below:

The access constants are defined in the code but not shown here.

Dim adsObject ' Any object
Dim adsSecDesc ' SecurityDescriptor object
Dim adsDACL ' AccessControlList object
Dim adsNewACE ' AccessControlEntry object

' Create the ACE, and populate it.
Set adsNewACE = CreateObject("AccessControlEntry")
adsNewACE.AceFlags = ADS_FLAG_OBJECT_TYPE_PRESENT
adsNewACE.ObjectType = "{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}" 'change
schema master rights GUID
adsNewACE.Trustee = "DCUKRSQL\Kermit"
adsNewACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
adsNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED

' Retrieve the object.
Set adsObject =
GetObject("LDAP://cn=schema,cn=Configuration,dc=dcukrsql,dc=local")


' Retrieve the SD and the existing DACL.
Set adsSecDesc = adsObject.Get("ntSecurityDescriptor")
Set adsDACL = adsSecDesc.DiscretionaryAcl

' Add an ACE to an existing DACL
adsDACL.AddAce adsNewACE

' Put back the modified DACL and the SD.
adsSecDesc.DiscretionaryAcl = adsDACL
adsObject.Put "ntSecurityDescriptor", Array(adsSecDesc)

' Write the property cache to the AD store.
adsObject.SetInfo
--
Cheers

Jon
Joe Richards [MVP]
2005-02-27 16:26:17 UTC
Permalink
Without the constants it is impossible for me to be sure because the constants
could be fat fingered or you could havbe purposely used a specific value which
has one common name but used a different constant... BUT

This is the ACL for Change Schema Master on my test AD which shows all of the
proper values

ACE
Trustee : JOE\Schema Admins
AceFlags : (1)
Ace Type Flags : ADS_FLAG_OBJECT_TYPE_PRESENT
ObjectType : ({E12B56B6-0A95-11D1-ADBB-00C04FD8D5CD}) - Change
Schema Master
Ace Type : (5) - ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
Ace Flag : 0
Access Mask : 256
ADS_RIGHT_DS_CONTROL_ACCESS


Assuming all of your constants are correct, your issue is with your ace type.



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Sabbs (Jon Sabberton)
Dear all
I'm having a problem in a vbscript where I'm trying to apply a single
extended right. I have the correct rightsguid (from Best Practices for
Delegating Active Directory Administration Appendix D Active Directory
Extended Rights) but on the object I'm applying permissions to
(cn=schema,cn=configuration, dc=dcukrsql,dc=local) applies all of the
extended rights on that object instead of just the one I've specified (which
is Change Schema Master).
I look forward to someone pointing out the error I've made. Please see the
The access constants are defined in the code but not shown here.
Dim adsObject ' Any object
Dim adsSecDesc ' SecurityDescriptor object
Dim adsDACL ' AccessControlList object
Dim adsNewACE ' AccessControlEntry object
' Create the ACE, and populate it.
Set adsNewACE = CreateObject("AccessControlEntry")
adsNewACE.AceFlags = ADS_FLAG_OBJECT_TYPE_PRESENT
adsNewACE.ObjectType = "{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}" 'change
schema master rights GUID
adsNewACE.Trustee = "DCUKRSQL\Kermit"
adsNewACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
adsNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
' Retrieve the object.
Set adsObject =
GetObject("LDAP://cn=schema,cn=Configuration,dc=dcukrsql,dc=local")
' Retrieve the SD and the existing DACL.
Set adsSecDesc = adsObject.Get("ntSecurityDescriptor")
Set adsDACL = adsSecDesc.DiscretionaryAcl
' Add an ACE to an existing DACL
adsDACL.AddAce adsNewACE
' Put back the modified DACL and the SD.
adsSecDesc.DiscretionaryAcl = adsDACL
adsObject.Put "ntSecurityDescriptor", Array(adsSecDesc)
' Write the property cache to the AD store.
adsObject.SetInfo
Sabbs (Jon Sabberton)
2005-02-28 10:21:02 UTC
Permalink
Joe,

Many thanks for your rapid response. I made the change that you suggested
and unfortunately I am still seeing the same behaviour, so this time I will
post up the entire script with the constants defined!

Just to clarify the behaviour, on opening ADSIEDIT after running the script
and looking at the security tab for the
cn=Schema,CN=configuration,dc=dcukrsql,dc=local container, the entry for
kermit is listed but all of the extended permissions are selected, instead of
just change schema master.

I look forward to your (or other community members) response.

Cheers Jon

Script is below

'**************************************************************************
'AccessMask constants
'**************************************************************************
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const FULL_CONTROL = -1

'**************************************************************************
'AceType constants
'**************************************************************************
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0

'**************************************************************************
'AceFlags constants
'**************************************************************************
Const ADS_ACEFLAG_FAILED_ACCESS = &H80
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
Const ADS_ACEFLAG_INHERIT_ACE = &H2

'**************************************************************************
'Flags constants
'**************************************************************************
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1

' Declare the variables.
Dim adsObject ' Any object
Dim adsSecDesc ' SecurityDescriptor object
Dim adsDACL ' AccessControlList object
Dim adsNewACE ' AccessControlEntry object

' Create the ACE, and populate it.
Set adsNewACE = CreateObject("AccessControlEntry")
adsNewACE.AceFlags = ADS_FLAG_OBJECT_TYPE_PRESENT
adsNewACE.ObjectType = "{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}"
adsNewACE.Trustee = "DCUKRSQL\Kermit"
adsNewACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
adsNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

' Retrieve the object.
Set adsObject =
GetObject("LDAP://cn=schema,cn=Configuration,dc=dcukrsql,dc=local")


' Retrieve the SD and the existing DACL.
Set adsSecDesc = adsObject.Get("ntSecurityDescriptor")
Set adsDACL = adsSecDesc.DiscretionaryAcl

' Add an ACE to an existing DACL
adsDACL.AddAce adsNewACE

' Put back the modified DACL and the SD.
adsSecDesc.DiscretionaryAcl = adsDACL
adsObject.Put "ntSecurityDescriptor", Array(adsSecDesc)

' Write the property cache to the AD store.
adsObject.SetInfo


<reply snipped here!>
Sabbs (Jon Sabberton)
2005-03-01 12:59:10 UTC
Permalink
All,

I have found what my problem was: Additionally to the mistake that Joe
pointed out, where I was using aceflags I should have been using flags. As
soon as I did the whole thing works a treat.

Thanks again Joe for your help

Cheers

Jon
Post by Sabbs (Jon Sabberton)
Joe,
Many thanks for your rapid response. I made the change that you suggested
and unfortunately I am still seeing the same behaviour, so this time I will
post up the entire script with the constants defined!
Just to clarify the behaviour, on opening ADSIEDIT after running the script
and looking at the security tab for the
cn=Schema,CN=configuration,dc=dcukrsql,dc=local container, the entry for
kermit is listed but all of the extended permissions are selected, instead of
just change schema master.
I look forward to your (or other community members) response.
Cheers Jon
Script is below
'**************************************************************************
'AccessMask constants
'**************************************************************************
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const FULL_CONTROL = -1
'**************************************************************************
'AceType constants
'**************************************************************************
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
'**************************************************************************
'AceFlags constants
'**************************************************************************
Const ADS_ACEFLAG_FAILED_ACCESS = &H80
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
Const ADS_ACEFLAG_INHERIT_ACE = &H2
'**************************************************************************
'Flags constants
'**************************************************************************
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
' Declare the variables.
Dim adsObject ' Any object
Dim adsSecDesc ' SecurityDescriptor object
Dim adsDACL ' AccessControlList object
Dim adsNewACE ' AccessControlEntry object
' Create the ACE, and populate it.
Set adsNewACE = CreateObject("AccessControlEntry")
adsNewACE.AceFlags = ADS_FLAG_OBJECT_TYPE_PRESENT
adsNewACE.ObjectType = "{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}"
adsNewACE.Trustee = "DCUKRSQL\Kermit"
adsNewACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
adsNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
' Retrieve the object.
Set adsObject =
GetObject("LDAP://cn=schema,cn=Configuration,dc=dcukrsql,dc=local")
' Retrieve the SD and the existing DACL.
Set adsSecDesc = adsObject.Get("ntSecurityDescriptor")
Set adsDACL = adsSecDesc.DiscretionaryAcl
' Add an ACE to an existing DACL
adsDACL.AddAce adsNewACE
' Put back the modified DACL and the SD.
adsSecDesc.DiscretionaryAcl = adsDACL
adsObject.Put "ntSecurityDescriptor", Array(adsSecDesc)
' Write the property cache to the AD store.
adsObject.SetInfo
<reply snipped here!>
Joe Richards [MVP]
2005-03-05 16:23:47 UTC
Permalink
Excellent, sorry I didn't get back sooner, this is the first I have been back in
the newsgroups since the last post.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Post by Sabbs (Jon Sabberton)
All,
I have found what my problem was: Additionally to the mistake that Joe
pointed out, where I was using aceflags I should have been using flags. As
soon as I did the whole thing works a treat.
Thanks again Joe for your help
Cheers
Jon
Post by Sabbs (Jon Sabberton)
Joe,
Many thanks for your rapid response. I made the change that you suggested
and unfortunately I am still seeing the same behaviour, so this time I will
post up the entire script with the constants defined!
Just to clarify the behaviour, on opening ADSIEDIT after running the script
and looking at the security tab for the
cn=Schema,CN=configuration,dc=dcukrsql,dc=local container, the entry for
kermit is listed but all of the extended permissions are selected, instead of
just change schema master.
I look forward to your (or other community members) response.
Cheers Jon
Script is below
'**************************************************************************
'AccessMask constants
'**************************************************************************
Const ADS_RIGHT_GENERIC_READ = &H80000000
Const ADS_RIGHT_GENERIC_WRITE = &H40000000
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000
Const ADS_RIGHT_GENERIC_ALL = &H10000000
Const ADS_RIGHT_SYSTEM_SECURITY = &H1000000
Const ADS_RIGHT_SYNCHRONIZE = &H100000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const FULL_CONTROL = -1
'**************************************************************************
'AceType constants
'**************************************************************************
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
'**************************************************************************
'AceFlags constants
'**************************************************************************
Const ADS_ACEFLAG_FAILED_ACCESS = &H80
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1F
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4
Const ADS_ACEFLAG_INHERIT_ACE = &H2
'**************************************************************************
'Flags constants
'**************************************************************************
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
' Declare the variables.
Dim adsObject ' Any object
Dim adsSecDesc ' SecurityDescriptor object
Dim adsDACL ' AccessControlList object
Dim adsNewACE ' AccessControlEntry object
' Create the ACE, and populate it.
Set adsNewACE = CreateObject("AccessControlEntry")
adsNewACE.AceFlags = ADS_FLAG_OBJECT_TYPE_PRESENT
adsNewACE.ObjectType = "{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}"
adsNewACE.Trustee = "DCUKRSQL\Kermit"
adsNewACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
adsNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
' Retrieve the object.
Set adsObject =
GetObject("LDAP://cn=schema,cn=Configuration,dc=dcukrsql,dc=local")
' Retrieve the SD and the existing DACL.
Set adsSecDesc = adsObject.Get("ntSecurityDescriptor")
Set adsDACL = adsSecDesc.DiscretionaryAcl
' Add an ACE to an existing DACL
adsDACL.AddAce adsNewACE
' Put back the modified DACL and the SD.
adsSecDesc.DiscretionaryAcl = adsDACL
adsObject.Put "ntSecurityDescriptor", Array(adsSecDesc)
' Write the property cache to the AD store.
adsObject.SetInfo
<reply snipped here!>
Continue reading on narkive:
Search results for 'Extended rights and ACEs permission issue in Active Directory.' (Questions and Answers)
6
replies
who win the match for jonh and randy ortan?
started 2007-08-19 06:00:21 UTC
rugby league
Loading...