Returns security permissions for the MyerKen Active Directory user account.
Const SE_DACL_PROTECTED = &H1000Set objUser = GetObject _("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")intNtSecurityDescriptorControl = objNtSecurityDescriptor.ControlWScript.Echo "Permissions Tab"WScript.StdOut.WriteLine "Allow inheritable permissions from the parent to"WScript.StdOut.Write "propogate to this object and all child objects "If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) ThenWscript.Echo "is disabled."ElseWScript.Echo "is enabled."End IfWScript.Echo VbCrSet objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAclDisplayAceInformation objDiscretionaryAcl, "DACL"Sub DisplayAceInformation(SecurityStructure, strType)Const ADS_ACETYPE_ACCESS_ALLOWED = &H0Const ADS_ACETYPE_ACCESS_DENIED = &H1Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6intAceCount = 0For Each objAce In SecurityStructurestrTrustee = Mid(objAce.Trustee,1,12)If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 ThenintAceCount = intAceCount + 1WScript.Echo strType & " permission entry: " & intAceCountWScript.Echo "Name: " & objAce.TrusteeintAceType = objAce.AceTypeIf (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) ThenWScript.Echo "Type: Allow Access"ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) ThenWScript.StdOut.Write "Type: Deny Acess"ElseWScript.Echo "Acess Type Unknown."End IfReadBitsInAccessMask(objAce.AccessMask)WScript.Echo VbCrEnd IfNextEnd SubSub ReadBitsInAccessMask(AccessMask)Const ADS_RIGHT_DELETE = &H10000Const ADS_RIGHT_READ_CONTROL = &H20000Const ADS_RIGHT_WRITE_DAC = &H40000Const ADS_RIGHT_WRITE_OWNER = &H80000Const ADS_RIGHT_DS_CREATE_CHILD = &H1Const ADS_RIGHT_DS_DELETE_CHILD = &H2Const ADS_RIGHT_ACTRL_DS_LIST = &H4Const ADS_RIGHT_DS_SELF = &H8Const ADS_RIGHT_DS_READ_PROP = &H10Const ADS_RIGHT_DS_WRITE_PROP = &H20Const ADS_RIGHT_DS_DELETE_TREE = &H40Const ADS_RIGHT_DS_LIST_OBJECT = &H80Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100WScript.Echo VbCrLf & "Standard Access Rights"If (AccessMask And ADS_RIGHT_DELETE) Then _WScript.Echo vbTab & "-Delete an object."If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _WScript.Echo vbTab & "-Read permissions."If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _WScript.Echo vbTab & "-Write permissions."If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _WScript.Echo vbTab & "-Modify owner."WScript.Echo VbCrLf & "Directory Service Specific Access Rights"If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _WScript.Echo vbTab & "-Create child objects."If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _WScript.Echo vbTab & "-Delete child objects."If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _WScript.Echo vbTab & "-Enumerate an object."If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _WScript.Echo vbTab & "-Read the properties of an object."If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _WScript.Echo vbTab & "-Write the properties of an object."If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _WScript.Echo vbTab & "-Delete a tree of objects"If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _WScript.Echo vbTab & "-List a tree of objects."WScript.Echo VbCrLf & "Control Access Rights"If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _(AccessMask And ADS_RIGHT_DS_SELF) = 0 ThenWScript.Echo "-None"ElseIf (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _WScript.Echo vbTab & "-Extended access rights."If (AccessMask And ADS_RIGHT_DS_SELF) ThenWScript.Echo vbTab & _"-Active Directory must validate a property "WScript.Echo vbTab & _" write operation beyond the schema definition "WScript.Echo vbTab & " for the attribute."End IfEnd IfEnd Sub
This is a VB Script, this can be used by saving the file in .vbs file
Posts
