Const SE_SACL_PROTECTED = &H2000Const ADS_SECURITY_INFO_OWNER = &H1Const ADS_SECURITY_INFO_GROUP = &H2Const ADS_OPTION_SECURITY_MASK =&H3Const ADS_SECURITY_INFO_DACL = &H4Const ADS_SECURITY_INFO_SACL = &H8Set objUser = GetObject _("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_SECURITY_INFO_OWNER _Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _Or ADS_SECURITY_INFO_SACLSet objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")intNtSecurityDescriptorControl = objNtSecurityDescriptor.ControlWScript.Echo "Auditing Tab"WScript.StdOut.WriteLine "Allow inheritable auditing entries from" & _"the parent to "WScript.StdOut.Write "propogate to this object and all child objects "If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) ThenWscript.Echo "is disabled."ElseWScript.Echo "is enabled."End IfWScript.Echo VbCrSet objSacl = objNtSecurityDescriptor.SystemAclDisplayAceInformation objSacl, "SACL"Sub DisplayAceInformation(SecurityStructure, strType)Const ADS_ACETYPE_SYSTEM_AUDIT = &H2Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7intAceCount = 0For Each objAce In SecurityStructurestrTrustee = Mid(objAce.Trustee,1,12)If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 ThenintAceCount = intAceCount + 1WScript.Echo strType & " permission entry: " & intAceCountWScript.Echo "Name: " & objAce.TrusteeintAceType = objAce.AceTypeWScript.Echo "ACETYPE IS: " & intAceTypeIf (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) ThenWScript.StdOut.Write "Type: Success or Failure Audit"ElseWScript.StdOut.Write "Audit Type Unknown."End IfReadBitsInAccessMask(objAce.AccessMask)WScript.Echo VbCrEnd IfNextEnd SubSub ReadBitsInAccessMask(AccessMask)Const ADS_RIGHT_DELETE = &H10000Const ADS_RIGHT_READ_CONTROL = &H20000Const ADS_RIGHT_WRITE_DAC = &H40000Const ADS_RIGHT_WRITE_OWNER = &H80000Const ADS_RIGHT_DS_CREATE_CHILD = &H1Const ADS_RIGHT_DS_DELETE_CHILD = &H2Const ADS_RIGHT_ACTRL_DS_LIST = &H4Const ADS_RIGHT_DS_SELF = &H8Const ADS_RIGHT_DS_READ_PROP = &H10Const ADS_RIGHT_DS_WRITE_PROP = &H20Const ADS_RIGHT_DS_DELETE_TREE = &H40Const ADS_RIGHT_DS_LIST_OBJECT = &H80Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100WScript.Echo VbCrLf & "Standard Access Rights"If (AccessMask And ADS_RIGHT_DELETE) Then _WScript.Echo vbTab & "-Delete an object."If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _WScript.Echo vbTab & "-Read permissions."If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _WScript.Echo vbTab & "-Write permissions."If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _WScript.Echo vbTab & "-Modify owner."WScript.Echo VbCrLf & "Directory Service Specific Access Rights"If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _WScript.Echo vbTab & "-Create child objects."If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _WScript.Echo vbTab & "-Delete child objects."If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _WScript.Echo vbTab & "-Enumerate an object."If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _WScript.Echo vbTab & "-Read the properties of an object."If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _WScript.Echo vbTab & "-Write the properties of an object."If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _WScript.Echo vbTab & "-Delete a tree of objects"If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _WScript.Echo vbTab & "-List a tree of objects."WScript.Echo VbCrLf & "Control Access Rights"If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _(AccessMask And ADS_RIGHT_DS_SELF) = 0 ThenWScript.Echo "-None"ElseIf (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _WScript.Echo vbTab & "-Extended access rights."If (AccessMask And ADS_RIGHT_DS_SELF) ThenWScript.Echo vbTab & _"-Active Directory must validate a property "WScript.Echo vbTab & _" write operation beyond the schema definition "WScript.Echo vbTab & " for the attribute."End IfEnd IfEnd Sub
This is a VB Script, this can be used by saving the file in .vbs file
Posts
