ACLs on AD objects

[3ntity]

Hi,

I've been doing quite a lot of scripting in AD using Water's AD UDF but I just can't seem to get my head around this one.

I'm trying to change the ACL on an object in AD (Add Read-rights for a specific group on an object in an OU)

In the object-properties I can find "nTSecurityDescriptor" but I don't see how to change the actual ACL ... (append, not overwrite)

If anyone has any ideas to get me on the right path I'd be very much obliged.

 

Thx.

[water]

Function _AD_EnablePasswordChange shows how to modify an ACL/ACE. At the moment there is no function to directly modify an ACL/ACE in the UDF.

[3ntity]

Thanks, I'll check if that gets me where I need to be for now.  (at least not having to use an external dsacls to get it done)

Any chance this might get added into the UDF at some point ?  Security on objects is quite useful in AD management (both get/set) for monitoring purposes etc.

 

[water]

I have checked the original ADFunctions UDF written by Jonathan Clelland but I couldn't find any functions to work with permissions.
If you find any useful scripts written in Visual Basic I will be happy to translate them to AutoIt.

[AdamUL]

Check out the Set ACL Permissions UDF, it may be able to help you.  I have never tried to use it with AD, but from looking at the UDF, there is are object types that are available.

    $SE_DS_OBJECT, _;Indicates a directory service object or a property set or property of a directory service object. e.g.CN=SomeObject,OU=ou2,OU=ou1,DC=DomainName,DC=CompanyName,DC=com,O=internet
    $SE_DS_OBJECT_ALL, _;Indicates a directory service object and all of its property sets and properties.

 Also the ACL in nTSecurityDescriptor is written in Security Descriptor Definition Language (SDDL).  Hopefully that will give you a start.  

 

Adam