WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

WIL Extenders
ADSI
plus
Samples from Users

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

User Permissions on an AD Object 

 Keywords: dsGetProperty dsAclGetAces dsGetSecProp Permissions ACE ACL SACL DACL AD Object ADSI Security Descriptor Access Control List Entries

Question:

I need a script to run that will return the permissions the user has to an AD object, like an Organization Unit or a group. The script will run as the user and give back the permissions they are allowed on the specified object.

Answer:

The dsGetSecProp function gets you the DACL or SACL which are lists of ACEs that represent user or group permissions to create, delete, whatever. You can use the dsAclGetAces function to obtain those ACEs. 

;Load Appropriate Extender
If WinMetrics(-2) == 3 Then AddExtender("WWADS64I.DLL") ; 64-bit
Else AddExtender("WWADS44I.DLL") ; 32-bit

; Get an object's Security Descriptor
sPropertyName = "ntSecurityDescriptor"
sAdsiPath = "LDAP://Mydomain/cn=myuser,cn=users,dc=Mydomain,dc=SiteDomain,dc=com"
secSD = dsGetProperty(sAdsiPath, sPropertyName)
; Get Security Descriptor properties.
sList = ""
sValue = dsGetSecProp( secSD, "Revision")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "Control")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "Owner")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "OwnerDefaulted")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "Group")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "GroupDefaulted")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "DaclDefaulted")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "SystemAcl")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secSD, "SaclDefaulted")
sList = StrReplace( sList, @TAB, @CRLF)
Message("Security Descriptor Properties", sList)
; Get ACL properties.
sList = ""
secACL = dsGetSecProp( secSD, "DiscretionaryAcl")
sValue = dsGetSecProp(secAcl, "AclRevision")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp(secAcl, "AceCount")
sList = ItemInsert(sValue, -1, sList, @TAB)
sList = StrReplace( sList, @TAB, @CRLF)
Message("ACL Properties", sList)
; Get the first ACE.
sAceList = dsAclGetAces(secAcl, 3)
secACE = ItemExtract(1, sAceList, @TAB)
; Get ACE Properties
sList = ""
sValue = dsGetSecProp( secAce, "Trustee")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secAce, "AceFlags")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secAce, "AceType")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secAce, "Flags")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secAce, "ObjectType")
sList = ItemInsert(sValue, -1, sList, @TAB)
sValue = dsGetSecProp( secAce, "AccessMask")
sList = ItemInsert(sValue, -1, sList, @TAB)
sList = StrReplace( sList, @TAB, @CRLF)
Message("ACE Properties", sList)
Exit
Reference: http://msdn.microsoft.com/en-us/library/windows/desktop/aa705951(v=vs.85).aspx 
Article ID:   W17538

Filename:   User Permissions on an AD Object .txt
File Created: 2012:10:23:09:43:24
Last Updated: 2012:10:23:09:43:24