Chapter 12: Windows 2000 Management Code

Binding to the Root DS Entry (RootDSE) Using a VBScript Active Server Page

 Dim RootDSE Set RootDSE = GetObject("LDAP://RootDSE") Response.Write "Current Time: " & RootDSE.Get("CurrentTime") & "<BR>" Response.Write "SubSchemaSubEntry: " & RootDSE.Get("SubSchemaSubEntry") & "<BR>" Response.Write "DsServiceName: " & RootDSE.Get("DsServiceName") & "<BR>" For Each Item In RootDSE.Get("NamingContexts")      Response.Write "Naming Context: " & Item & "<BR>" Next Response.Write "Default Naming Context: " & RootDSE.Get("DefaultNamingContext") & "<BR>" Response.Write "Schema Naming Context: " & RootDSE.Get("SchemaNamingContext") & "<BR>" Response.Write "Configuration Naming Context: " &  RootDSE.Get("ConfigurationNamingContext") & "<BR>" Response.Write "Root Domain Naming Context: " & RootDSE.Get("RootDomainNamingContext") &  "<BR>" For Each Item In RootDSE.Get("SupportedControl")      Response.Write "Supported Control: " & Item & "<BR>" Next For Each Item In RootDSE.Get("SupportedLDAPVersion")      Response.Write "Supported LDAP Version: " & Item & "<BR>" Next Response.Write "Highest Committed USN: " & RootDSE.Get("HighestCommittedUSN") & "<BR>" For Each Item In RootDSE.Get("SupportedSASLMechanisms")      Response.Write "Supported SASL Mechanism: " & Item & "<BR>" Next Response.Write "DNS Host Name: " & RootDSE.Get("DnsHostName") & "<BR>" Response.Write "LDAP Service Name: " & RootDSE.Get("LdapServiceName") & "<BR>" Response.Write "Server Name: " & RootDSE.Get("ServerName") & "<BR>" 

Using the RootDSE DefaultNamingContext Attribute to Bind to an Active Directory Object Using Current Credentials In a VBScript Active Server Page

 Dim DefaultDomain Dim RootDSE Set RootDSE = GetObject("LDAP://RootDSE") Set DefaultDomain = GetObject("LDAP://" & RootDSE.Get("DefaultNamingContext")) 

Binding to an Active Directory Object Using Alternate Credentials In a VBScript Active Server Page

 Dim DSO Dim Obj Dim AdsPath Dim AlternateUser_UPN Dim AlternateUser_Password AdsPath =  "LDAP://Server_Name.ResearchDevelopment.TestInfra/cn=Users,  dc=ResearchDevelopment, dc=TestInfra" AlternateUser_UPN = "thomas.eck@ResearchDevelopment.TestInfra" AlternateUser_Password = "P0l1t1c@l@rs0ni$t" Set DSO = GetObject("LDAP:") Set Obj = DSO.OpenDSObject(AdsPath, AlternateUser_UPN, AlternateUser_Password,  ADS_SECURE_AUTHENTICATION) 

Determining Which Object Attributes Are Replicated to the Global Catalog Using a VBScript Active Server Page

 Dim Connection Dim RS Dim Entry Dim Index Dim RootDSE Dim SchemaContainer Index = 0 Set Connection = New ADODB.Connection Connection.Provider = "ADsDSOObject" Connection.Open "ADSI" Set RootDSE = GetObject("LDAP://RootDSE") Set SchemaContainer = GetObject("LDAP://" & RootDSE.Get("SchemaNamingContext")) Set RS = Connection.Execute("SELECT cn FROM '" & SchemaContainer.AdsPath & "' where  isMemberOfPartialAttributeSet = TRUE AND objectCategory = 'attributeSchema'") While Not RS.EOF     For i = 0 To RS.Fields.Count - 1         If RS.Fields(i).Type = adVariant And Not (IsNull(RS.Fields(i).Value)) Then             For j = LBound(RS.Fields(i).Value) To UBound(RS.Fields(i).Value)                Entry = Entry & RS.Fields(i).Value(j) & vbTab             Next j         Else              Entry = Entry & RS.Fields(i).Value & vbTab         End If         If Index = RS.Fields.Count - 1 Then             Response.Write Entry & "<BR>"         End If         Index = Index + 1     Next i     Entry = ""     Index = 0     RS.MoveNext Wend 

Displaying All User Class Objects in the Active Directory Using a VBScript Active Server Page

 Dim RootDSE Dim UserContainer Dim User Dim RelativePathFromDomainToUserContainer RelativePathFromDomainToUserContainer = "ou=user accounts," Set RootDSE = GetObject("LDAP://RootDSE") Set UserContainer = GetObject("LDAP://" & RelativePathFromDomainToUserContainer &  RootDSE.Get("DefaultNamingContext")) UserContainer.Filter = Array("User") For Each User In UserContainer     Response.Write User.AdsPath & "<BR>" Next 

Displaying All Group Class Objects in the Active Directory Using a VBScript Active Server Page

 Dim RootDSE Dim GroupContainer Dim Group Dim RelativePathFromDomainToGroupContainer RelativePathFromDomainToGroupContainer = "ou=Groups,ou=Chicago," Set RootDSE = GetObject("LDAP://RootDSE") Set GroupContainer = GetObject("LDAP://" & RelativePathFromDomainToGroupContainer &  RootDSE.Get("defaultNamingContext")) GroupContainer.Filter = Array("Group") For Each Group In GroupContainer     Response.Write Group.AdsPath & "<BR>" Next 

Displaying All Computer Class Objects in the Active Directory Using a VBScript Active Server Page

 Dim RootDSE Dim ComputerAccountContainer Dim ComputerAccount Dim RelativePathFromDomainToComputerContainer RelativePathFromDomainToComputerContainer = "ou=Workstations,ou=Computer Accounts,  ou=Chicago" Set RootDSE = GetObject("LDAP://RootDSE") Set ComputerAccountContainer = GetObject("LDAP://" & RelativePathFromDomainToComputerContainer & RootDSE.Get("defaultNamingContext")) ComputerAccountContainer.Filter = Array("Computer") For Each ComputerAccount In ComputerAccountContainer     Response.Write ComputerAccount.AdsPath & "<BR>" Next 

Creating Objects in the Active Directory Using a VBScript Active Server Page

 Dim RootDSE Dim Container Dim RelativePathToObject Dim ObjectClass Dim ObjectName Dim NewObject Dim MandatoryProperty1_Name Dim MandatoryProperty1_Value 'Define more mandatory properties as needed RelativePathToObject = "ou=administrators," ObjectClass = "user" ObjectRelativeName = "cn=TestAdmin" MandatoryProperty1_Name = "SAMAccountName" MandatoryProperty1_Value = "TestAdmin" 'If you dimensioned additional mandatory properties, assign them here Set RootDSE = GetObject("LDAP://RootDSE") Set Container = GetObject("LDAP://" & RelativePathToObject &  RootDSE.Get("defaultNamingContext")) Set NewObject = Container.Create(ObjectClass, ObjectRelativeName) NewObject.Put MandatoryProperty1_Name, MandatoryProperty1_Value 'Assign additional mandatory properties to the object here NewObject.SetInfo 

Displaying Object Classes and Associated Mandatory Attributes Using a VBScript Active Server Page

 Dim RootDSE Dim ObjectName Dim ObjectClass Dim RelativePath Dim Obj Dim MandatoryProperty RelativePath = "cn=System," Set RootDSE = GetObject("LDAP://RootDSE") ADsPath = "LDAP://" & RelativePath & RootDSE.Get("DefaultNamingContext") Set ObjectName = GetObject(ADsPath) Response.Write "Object Name: " & ObjectName.Name & "<BR>" Response.Write "Object Class: " & ObjectName.Class & "<BR>" Set ObjectClass = GetObject(ObjectName.Schema) For Each MandatoryProperty In ObjectClass.MandatoryProperties      Response.Write MandatoryProperty & "<BR>" Next 

Removing Objects from the Active Directory Using a VBScript Active Server Page

 Dim RootDSE Dim Container Dim RelativePathToObject Dim ObjectClass Dim ObjectName RelativePathToObject = "ou=administrators," ObjectClass = "user" ObjectRelativeName = "cn=TestAdmin" Set RootDSE = GetObject("LDAP://RootDSE") Set Container = GetObject("LDAP://" & RelativePathToObject &  RootDSE.Get("DefaultNamingContext")) Call Container.Delete(ObjectClass, ObjectRelativeName) 

Deleting an Entire Branch of a Directory Tree Using a VBScript Active Server Page

 Dim RootDSE Dim Container Dim RelativePathToObject RelativePathToObject = "ou=Print Queues," Set RootDSE = GetObject("LDAP://RootDSE") Set Container = GetObject("LDAP://" & RelativePathToObject &  RootDSE.Get("DefaultNamingContext")) Container.DeleteObject (0) 

Renaming Objects in the Active Directory Using a VBScript Active Server Page

 Dim Container Dim NewObjectName Set Container = GetObject("LDAP://ou=Admins,dc=eCommerce2000,dc=com") Set NewObjectName = Container.MoveHere("LDAP://cn=Administrator,ou=Admins,dc=eCommerce2000,dc=com",  "cn=DMZAdmin") 

Moving Objects Within a Tree Using a VBScript Active Server Page

 Dim Container Dim NewObjectName Set Container = GetObject("LDAP://ou=Users,dc=eCommerce2000,dc=com") Set NewObjectName = Container.MoveHere("LDAP://cn=DMZAdmin,ou=Admins,dc=eCommerce2000,dc=com", "cn=DMZAdmin") 

Enumerating the ACEs Within an Active Directory ACL Using a VBScript Active Server Page

 Dim Obj Dim ACE Dim DiscretionaryACL Dim SecurityDescriptor Dim ObjectDistinguishedName ObjectDistinguishedName = "ou=Admins,dc=eCommerce2000,dc=com" Set Obj = GetObject("LDAP://" & ObjectDistinguishedName) Set SecurityDescriptor = Obj.Get("ntSecurityDescriptor") zSet DiscretionaryACL = SecurityDescriptor.DiscretionaryACL For Each ACE In DiscretionaryACL     Response.Write ACE.Trustee & "<BR>"     If (ACE.AccessMask And ADS_RIGHT_DELETE) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DELETE" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DELETE for SchemaIDGuid: " & ACE.ObjectType &  "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DELETE for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_READ_CONTROL) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_READ_CONTROL" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_READ_CONTROL for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_READ_CONTROL for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_WRITE_DAC) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_WRITE_DAC" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_WRITE_DAC for SchemaIDGuid: " & ACE.ObjectType  & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_WRITE_DAC for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_WRITE_OWNER) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_WRITE_OWNER" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_WRITE_OWNER for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_WRITE_OWNER for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_SYNCHRONIZE) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_SYNCHRONIZE" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_SYNCHRONIZE for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_SYNCHRONIZE for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If If (ACE.AccessMask And ADS_RIGHT_ACCESS_SYSTEM_SECURITY) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_ACCESS_SYSTEM_SECURITY" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_ACCESS_SYSTEM_SECURITY for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_ACCESS_SYSTEM_SECURITY for  SchemaIDGuid: " & ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_GENERIC_READ) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_GENERIC_READ" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_GENERIC_READ for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_GENERIC_READ for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If If (ACE.AccessMask And ADS_RIGHT_GENERIC_WRITE) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_GENERIC_WRITE" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_GENERIC_WRITE for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_GENERIC_WRITE for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If If (ACE.AccessMask And ADS_RIGHT_GENERIC_EXECUTE) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_GENERIC_EXECUTE" & "<BR>" Else            If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_GENERIC_EXECUTE for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_GENERIC_EXECUTE for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_GENERIC_ALL) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_GENERIC_ALL" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_GENERIC_ALL for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_GENERIC_ALL for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_DS_CREATE_CHILD) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_CREATE_CHILD" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_CREATE_CHILD for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_CREATE_CHILD for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_DS_DELETE_CHILD) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_DELETE_CHILD" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_DELETE_CHILD for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_DELETE_CHILD for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_ACTRL_DS_LIST) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_ACTRL_DS_LIST" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_ACTRL_DS_LIST for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_ACTRL_DS_LIST for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_DS_SELF) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_SELF" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_SELF for SchemaIDGuid: " & ACE.ObjectType &  "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_SELF for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If If (ACE.AccessMask And ADS_RIGHT_DS_READ_PROP) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_READ_PROP" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_READ_PROP for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_READ_PROP for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_DS_WRITE_PROP) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_WRITE_PROP" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_WRITE_PROP for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_DS_DELETE_TREE) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_DELETE_TREE" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_DELETE_TREE for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_DELETE_TREE for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_DS_LIST_OBJECT) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_LIST_OBJECT" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_LIST_OBJECT for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_LIST_OBJECT for SchemaIDGuid: " &  ACE.InheritedObjectType & "<BR>"             End If         End If     End If     If (ACE.AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) <> 0 Then         If (ACE.ObjectType = "" And ACE.InheritedObjectType = "") Then             Response.Write "ADS_RIGHT_DS_CONTROL_ACCESS" & "<BR>"         Else             If ACE.InheritedObjectType = "" Then                 Response.Write "ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid: " &  ACE.ObjectType & "<BR>"             Else                 Response.Write "Inherited ADS_RIGHT_DS_CONTROL_ACCESS for SchemaIDGuid: "  & ACE.InheritedObjectType & "<BR>"             End If         End If     End If Next 

Adding an ACE to an Active Directory Object ACL Using a VBScript Active Server Page

 Dim Obj Dim SecurityDescriptor Dim ACE Dim DACL Set Obj = GetObject("LDAP://ou=ou=Admins,dc=eCommerce2000,dc=com") Set SecurityDescriptor = Obj.Get("ntSecurityDescriptor") Set DACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.AccessMask = ADS_RIGHT_DELETE Or ADS_RIGHT_GENERIC_READ Or ADS_RIGHT_GENERIC_WRITE ACE.AceFlags = ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED ACE.Trustee = "eCommerce2000\DMZAdmin" DACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DACL Obj.Put "ntSecurityDescriptor", Array(SecurityDescriptor) Obj.SetInfo 

Removing an ACE from an Active Directory Object ACL Using a VBScript Active Server Page

 Dim Obj Dim ACE Dim DACL Dim SecurityDescriptor Set Obj = GetObject("LDAP://cn=Guest,ou=users, dc=eCommerce2000,dc=com") Set SecurityDescriptor = Obj.Get("ntSecurityDescriptor") Set DACL = SecurityDescriptor.DiscretionaryACL For Each ACE In DACL     If UCase(ACE.Trustee) = "ECOMMERCE2000\GUEST" Then         DACL.RemoveAce ACE     End If Next SecurityDescriptor.DiscretionaryACL = DACL Obj.Put "ntSecurityDescriptor", Array(SecurityDescriptor) Obj.SetInfo 

Adding an ACE to an Active Directory Organizational Unit ACL with Inheritence to All Child Objects Using a VBScript Active Server Page

 Dim Obj Dim SecurityDescriptor Dim ACE Dim DACL Set Obj = GetObject("LDAP://ou=Admins,dc=eCommerce2000,dc=com") Set SecurityDescriptor = Obj.Get("ntSecurityDescriptor") Set DACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.AccessMask = ADS_RIGHT_GENERIC_READ ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED ACE.Trustee = "eCommerce2000\DMZAdmin" DACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DACL Obj.Put "ntSecurityDescriptor", Array(SecurityDescriptor) Obj.SetInfo 

Adding an ACE to an Active Directory Organizational Unit ACL with Inheritence to a Single Class of Child Objects Using a VBScript Active Server Page

 Dim Obj Dim SecurityDescriptor Dim ACE Dim DACL Set Obj = GetObject("LDAP://ou=Admins,dc=eCommerce2000,dc=com") Set SecurityDescriptor = Obj.Get("ntSecurityDescriptor") Set DACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.AccessMask = ADS_RIGHT_DS_DELETE_TREE ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT ACE.ObjectType = "{BF967A9C-0DE6-11D0-A285-00AA003049E2}" ACE.Trustee = "eCommerce2000\DMZAdmin" DACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DACL Obj.Put "ntSecurityDescriptor", Array(SecurityDescriptor) Obj.SetInfo 

Removing an ACE from an Active Directory Organizational Unit ACL with Inheritence to a Single Class of Child Objects Using a VBScript Active Server Page

 Dim Obj Dim ACE Dim DACL Dim SecurityDescriptor Set Obj = GetObject("LDAP://ou=Admins,dc=eCommerce2000,dc=com") Set SecurityDescriptor = Obj.Get("ntSecurityDescriptor") Set DACL = SecurityDescriptor.DiscretionaryACL For Each ACE In DACL     If ((UCase(ACE.Trustee) = "ECOMMERCE2000\DMZADMIN") and (ACE.ObjectType =  "{BF967A9C-0DE6-11D0-A285-00AA003049E2}")) Then         DACL.RemoveAce ACE     End If Next SecurityDescriptor.DiscretionaryACL = DACL Obj.Put "ntSecurityDescriptor", Array(SecurityDescriptor) Obj.SetInfo 

Adding an ACE to an Active Directory Organizational Unit ACL with Inheritence to a Single Property for an Object Class Using a VBScript Active Server Page

 Dim Obj Dim SecurityDescriptor Dim ACE Dim DACL Set Obj = GetObject("LDAP://ou=Admins,dc=eCommerce2000,dc=com") Set SecurityDescriptor = Obj.Get("ntSecurityDescriptor") Set DACL = SecurityDescriptor.DiscretionaryACL Set ACE = CreateObject("AccessControlEntry") ACE.AccessMask = ADS_RIGHT_DS_READ_PROP Or ADS_RIGHT_DS_WRITE_PROP ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ACE.ObjectType = "{BF967A49-0DE6-11D0-A285-00AA003049E2}" ACE.Trustee = "NT AUTHORITY\SELF" DACL.AddAce ACE SecurityDescriptor.DiscretionaryACL = DACL Obj.Put "ntSecurityDescriptor", Array(SecurityDescriptor) Obj.SetInfo