Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.
Some background information...
We have Windows 2000 Active Directory and Exchange 2003. Within a Domain Global Groups properties you have the option to set an Owner (Managed By tab). Using Windows Server 2003 (or Windows XP) you get an additional checkbox that allows you to specify that the "Manager can update membership list." This setting is specific to the security setting "Write Property." Toggling that button set's the appropriate security allowing the manager to update the list.
Now, programmatically, I can't seem to set that specific field. Honestly, I don't completely understand the dsSetSecProp function. It took me about 2 hours to get a working model where I can the AccessMask ACE. Can someone point me in the right direction? -Perhaps I am using the wrong property type.?
Any help would be appreciated.
Here is an example that almost works. It gives the property write permission to all the properties of the groups instead of just the "member" property.
; Server path ; (Can be obtained programmatically using "LDAP://rootDSE".) sServerPath = "LDAP://shamrock/" ; Group Path goes here. sGroupPath = StrCat(sServerPath, "CN=Domain Users,CN=Users,DC=jclass,DC=org") ; Get Manager sPropertyName = "managedBy" sManagerPath = dsGetProperty(sGroupPath, sPropertyName) If sManagerPath == "" Message("Error", "Group does not have a manager" Exit EndIf sManagerPath = StrCat("LDAP://shamrock/",sManagerPath) ; Get manger's SID - can get this from the manageby property. objectSid = dsGetProperty(sManagerPath, "objectSID") ; Get GUID of the "member" property. sSchemaPropPath = StrCat(sServerPath, "member,schema") sPropGUID = dsGetProperty(sSchemaPropPath , "schemaIDGUID") ; Constants from constants.wbt ACCESS_ALLOWED = 0 ACCESS_ALLOWED_OBJECT = 5 INHERIT_ACE = 2 INHERIT_ONLY_ACE = 8 OBJECT_TYPE_PRESENT = 1 INHERITED_OBJECT_TYPE_PRESENT = 2 DS_READ_PROP = 16 DS_WRITE_PROP = 32 ;ACL_REVISION = 4 ; Appear not to need could be from 1 to 4 ; Create a new ace NewAce = dsCreatSecObj(sGroupPath, 3) dsSetSecProp(NewAce, "Trustee", objectsid) ; Manager's SID dsSetSecProp(NewAce, "ObjectType", sPropGUID ) ; member property's schemaIDGuid. dsSetSecProp(NewAce, "AceFlags", INHERIT_ACE) dsSetSecProp(NewAce, "Flags", OBJECT_TYPE_PRESENT ) dsSetSecProp(NewAce, "AceType", ACCESS_ALLOWED_OBJECT ) dsSetSecProp(NewAce, "AccessMask", DS_WRITE_PROP) ; Get the SD and ACL sPropertyName = "ntSecurityDescriptor" sd = dsGetProperty(sGroupPath, sPropertyName) acl = dsGetSecProp(sd, "DiscretionaryAcl") ; Add the new ACE. dsAclAddAce(acl, newace, -1) dsAclOrderAce(acl) dsSetSecProp(sd, "DiscretionaryAcl", acl) dsSetProperty(sGroupPath, sPropertyName, sd)
Article ID: W16801
File Created: 2010:12:16:11:39:54
Last Updated: 2010:12:16:11:39:54