Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / Active Directory / July 2005

Tip: Looking for answers? Try searching our database.

Change an OU special security permissions

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Bilb0 - 29 Jul 2005 14:06 GMT
Hi,

I've written a script that create automatically the default OU and
Groups for my architecture. Now I want to add a security permissions
for the OU. I need to add a created group in the Group or usernames (in
the security tab)to add it the Create/Delete Computer Object special
permission.

I use VBScript, anybody have an idea?

Thx

David
Reply to this Message
Ulf B. Simon-Weidner [MVP] - 29 Jul 2005 14:33 GMT
> Hi,
>
[quoted text clipped - 5 lines]
>
> I use VBScript, anybody have an idea?

Hi David,

You can use the cmd-tool dsacls to do that - it's much easier even
calling it from a VBS than messing with the DACLs directly in VBS.

To get a feeling/example on how to modify DACLs in VBS look at the code
I've posted on
http://www.windowsserverfaq.org/faq/CompACLs.asp

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

 MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
 Weblog: http://msmvps.org/UlfBSimonWeidner
 Website: http://www.windowsserverfaq.org
Reply to this Message
Bilb0 - 29 Jul 2005 16:42 GMT
Hi Ulf,

Ok.. but I still need the objAce.AceType of the Create/Delete computer
object... like:

Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
...

Can you help me please?
Reply to this Message
Ulf B. Simon-Weidner [MVP] - 29 Jul 2005 16:57 GMT
Hi David,

the easiest way is to set the needed permissions on a test-ou, then you can
use part of the script to display the ACLs of this OU, filter out the stuff
you need and write a script to apply exactly those settings to any other OU.
That's how I'd do it.

Ulf

> Hi Ulf,
>
[quoted text clipped - 9 lines]
>
> Can you help me please?
Reply to this Message
Bilb0 - 29 Jul 2005 20:57 GMT
Hi Ulf,

Thanks for your help, it's work great now :)

Bye

David
Reply to this Message
Ulf B. Simon-Weidner [MVP] - 29 Jul 2005 22:40 GMT
> Hi Ulf,
>
> Thanks for your help, it's work great now :)

You're welcome, thanks for the feedback!

Ulf
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.