AD Security Object Editting for Groups of Users 1

[Cstorms]

Hello, it appears I am in a bit of a pickle. We are using a utility to do certain migration operations but in the process it seems to uncheck from the AD User Object the "Security Tab -> Advanced Allow Inheritable Permissions from parent to propagate", I actually will need this to be checked but there are a ton of users and I was looking for a way to automate this. Unfortunately I have no clue on how to write this or what would be required. Any advice would be very welcome. Thanks!

Cory

 

[PScottC]

Reading your post, the first thing that comes to mind is that you need to contact the company that makes the migration utility and have them fix their bug, and provide you with a solution to do this.

I have a script that I wrote to audit permission issues in AD, but it does not reset them. I'll clean it up and post it shortly. It will give you an idea of the scope of your issue.

One other thing comes to mind. Any user who has ever been a member of a group that has elevated AD privileges (Domain Admins, Account Operators, etc...), or is nested to one of those groups, AD will automatically disable the inherited permissions on their accounts.

You can test for this by running the following command on your domain controller:

ldifde -f userdump.txt -r "(&(objectClass=user)(objectCategory=person)(adminCount=1))" -l "canonicalName"

If you find users in the resulting text file that you don't believe have elevated permissions, then the problem is probably related to group membership and not your migration tool.

Good Luck!

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[PScottC]

Here's the code...

[green]'===============================================================================
' 
'       URLS: [URL unfurl="true"]http://www.activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/users/[/URL]
'			  [URL unfurl="true"]http://msdn2.microsoft.com/en-us/library/aa706128(VS.85).aspx[/URL]
' 
'    COMMENT: The script logs to CSV format whether the inheritance flag is
' enabled or disabled.  Inheritance is typically only disabled on accounts that
' are subject to the 'adminSDHolder' (Enterprise, Domain, Schema Admins, etc...)
' 
'===============================================================================
[/green]
Option Explicit

Dim sFilter, sAttributes, sDefaultNC, sQuery, iNtSecDescCont, sUserDN, sLog
Dim oRootDSE, oConnection, oCommand, oRecordSet, oUser, oNtSecDesc
Dim oFSO, oTSLog

Const SE_DACL_PROTECTED = &H1000 

[green]' Bind to Active Directory so that future calls will not re-bind (more efficient)[/green]
Set oRootDSE = GetObject("LDAP://RootDSE")

[green]' Set up ADO Connection to Active Directory[/green]
Set oConnection = CreateObject("ADODB.Connection")
oConnection.Provider = "ADsDSOObject"
oConnection.Open "Active Directory Provider"

[green]' Set up ADO Command with typical properties, reference ADO connection[/green]
Set oCommand = CreateObject("ADODB.Command")
Set oCommand.ActiveConnection = oConnection
oCommand.Properties("Page Size") = 100
oCommand.Properties("Timeout") = 30
oCommand.Properties("Cache Results") = False

[green]' Prepare AD Query (Returns DNs of all users in AD)[/green]
sFilter = "(&(objectClass=user)(objectCategory=person))"
sAttributes = "distinguishedName"
sDefaultNC = oRootDSE.Get("defaultNamingContext")
sQuery = "<LDAP://" & sDefaultNC & ">;" & sFilter & ";" & sAttributes & ";subtree"

[green]' Execute query and return results to RecordSet object[/green]
oCommand.CommandText = sQuery
Set oRecordSet = oCommand.Execute

[green]' Open Output File[/green]
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set oTSLog = oFSO.OpenTextFile("Output.csv",2,True)

[green]' Write CSV header line[/green]
oTSLog.WriteLine "DN,Inheritance"

[green]' Loop through records (User DNs)[/green]
Do Until oRecordSet.EOF
	[green]' Copy user DN to short variable[/green]
	sUserDN = oRecordSet.Fields("distinguishedName")

	[green]' Start Data line for Output file[/green]
	sLog = """" & sUserDN & """"

	[green]' Bind to User object[/green]
	Set oUser = GetObject("LDAP://" & sUserDN)
	[green]' Retrieve Security Descriptor[/green]
	Set oNtSecDesc = oUser.Get("ntSecurityDescriptor")

	[green]' Acquire the SD Control Property to detect inheritance setting[/green]
	iNtSecDescCont = oNtSecDesc.Control

	If iNtSecDescCont And SE_DACL_PROTECTED Then
		sLog = sLog & ",Disabled"
	Else
		sLog = sLog & ",Enabled"
	End If

	[green]' Write results to Output File[/green]
	oTSLog.WriteLine sLog

	[green]' Advance to next record in recordset[/green]
	oRecordSet.MoveNext
Loop

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers

 

[Cstorms]

Thank you very much for the info. Your insight was appreciated. Apparently I was issued an older build of their product, luckily I had only done a smaller batch of users and had this problem. I got the latest build and all is well (so far) the script you posted may come in handy in the future. Thanks again

Cory