Announcement

Collapse
No announcement yet.

Remove explicit permissions from AD Objects

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Remove explicit permissions from AD Objects

    I have a problem. Microsoft have informed me that an explicit "Allow" overrides an inherited "Deny". This goes against everything I was ever taught - where I was always told that DENY TAKES PRECEDENCE. This presents me with a problem; the Account Operators have explicit Allow permissions on many of our OUs and the DENY was set at the domain level and inherited down. This means that they can rename OUs and often do; which often breaks stuff.

    SO

    I have a plan of action. Here it is.
    • Remove any "Account Operator" permissions relating to OUs at the domain level
    • remove Account Operator permissions relating to OUs from the OU objects themselves
    • check all the OU objects and the domain object for permissions relating to Account Operators and remove any found.
    • Apply an explicit DENY on the domain object to cascade down to OU objects
    • apply an explicit ALLOW on the domain object to cascade down to OU objects (for the operations that Account Ops ARE allowed to do)


    What I'd like is a script to perform the second step for me I'd like it to remove permissions for a specified group from a specified domain for a specified type of object.

    Thanks


    Tom
    For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

    Anything you say will be misquoted and used against you

  • #2
    Re: Remove explicit permissions from AD Objects

    I can't help with the script, but wanted to put in my two cents for someone to verify:

    AFAIK an explicitly implied permission (Allow or Deny) always over rides any inherited permissions. Correct?

    Comment


    • #3
      Re: Remove explicit permissions from AD Objects

      Apparently, yes... I was not aware of the inherited ----> explicit hierarchy until yesterday. *wry grin*


      Tom
      For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

      Anything you say will be misquoted and used against you

      Comment


      • #4
        Re: Remove explicit permissions from AD Objects

        OK guys - here is a script written by one of our Windows Implementation Specialists; please do not use it without including the ownership information at the top.

        USAGE:

        CSCRIPT DELACES.VBS /DOM:<df> /USER:<un>

        <df> is the FQDN of an AD Domain: e.g. test.domain.local
        <un> is the name and domain of a user or group object which has permissions explicitly defined on an OU - e.g. "BUILTIN\Account Operators" or "test\Administrator"

        The script will STRIP the EXPLICIT permissions ONLY from Organisational Unit objects for the user or group specified within the domain specified. It will NOT strip permissions from the domain object, only from OUs and sub-OUs.

        Thank you.

        Code:
        '  #################################################
        '
        '  Script written by Nick Barber of E.ON IS UK using various code segments
        '  from various sources.  Please leave this text in if using this script.
        '
        '  #################################################
        '
        '
        
        
        Dim logPath,args,DomainName
        Set args = Wscript.Arguments.Named
        DomainName = trim(args.item("DOM"))
        AccountName = trim(args.item("USER"))
        logPath = getLogPath()
        
        '>>>>>> Check arguments - should be 2 args: /DOM and /USER
        if wscript.arguments.count < 2 then
        	Call usage()
        	wscript.quit 1
        
        elseif DomainName = "" then
        	Call usage()
        	wscript.quit 1
        
        elseif AccountName = "" then
        	Call usage()
        	wscript.quit 1
        
        elseif args.exists("DOM") AND args.exists("USER") Then
        
        	writetoOULog ("Script will operate on user specified domain: " & DomainName)
        	writetoOULog ("Script will remove ACEs for user specified account: " & AccountName)
        	
        	'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        	' Pop up a message box to warn of the consequences of running this script
        	Result = MsgBox ("This script will remove all non-inherited (explicit) ACEs for " & AccountName & " from all OUs in the " & DomainName & _ 
        	" domain." & vbcrlf & vbcrlf & "Are you really, really sure you want to continue?", VBYesNo + VBexclamation, "Warning - Danger of AD corruption")
        	If Result = VBNo Then
        		writetoOULog ("Script cancelled by user.")
        		WScript.Quit 999
        	End If
        	
        	' Uncomment the line below to test without touching the AD
        	' WScript.Quit 0
        	
        	'>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        	' This is where the work gets done
        		Call treewalkOUs(getLDAP(DomainName), AccountName)
        	'<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
        
        else
        	Call usage()
        	wscript.quit 1
        
        end If
        
        ' Normal exit
        WScript.Quit 0
        
        '===================================================================
        Function getLDAP(DomainName)
        	Dim temp,temp2
        	temp = split(DomainName,".")
        	for i = 0 to ubound(temp)
        		temp2 = temp2 & "DC=" & temp(i) & ","
        	next
        	getLDAP = left(temp2,(len(temp2)-1))
        	writetoOULog ("LDAP string = " & getLDAP)
        End Function
        
        '===================================================================
        Function treewalkOUs(getLDAP, AccountName)
        	Dim objgroup,egroup,count
        	count = 0
        	writetoOULog ("Starting script at:" & DATE & " " & TIME)
        	Set objgroup = GetObject("LDAP://" & getLDAP)
        		getOUs objgroup, AccountName
        		Set objgroup = nothing
        	writetoOULog ("Ending script at:" & DATE & " " & TIME)
        End Function
        
        '===================================================================
        Sub getOUs (Adomain, AccountName)
        Const ADS_ACEFLAG_INHERITED_ACE = &H10 ' 16
        	For each objSdUtil in Adomain
        		If objSdUtil.Class = "organizationalUnit" Then
        			writetoOULog(objSdUtil.distinguishedName)
        			'wscript.echo objSdUtil.distinguishedName	'Uncomment start of line if you want to see text
        			Set objSD = objSdUtil.Get("ntSecurityDescriptor")
        			Set objDACL = objSD.DiscretionaryACL
        			
        			For Each objACE in objDACL
        				If ((objACE.AceFlags And ADS_ACEFLAG_INHERITED_ACE) = ADS_ACEFLAG_INHERITED_ACE) Then
        					' do nothing
        				Else ' non-inherited ACEs only!
        			    	If objACE.Trustee = AccountName Then
        			    		writetoOULog (objSdUtil.distinguishedName & "," & AccountName & " non-inherited (explicit) ACE found, removing it.")
        			    		' Only uncomment the line below when happy the whole script works!
        			        	objDACL.RemoveAce objACE
        			    	End If
        				End If
        			Next		
        			objSD.DiscretionaryAcl = objDacl
        			objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
        			objSDUtil.SetInfo
        			
        		' Now do all child OUs from this OU
        		getOUs objSdUtil, AccountName
        		End If
        	Next
        End Sub
        
        '===================================================================
        Function writetoOULog(line)
        	Dim FSO,objFSOwriteline
        	Set FSO = CreateObject("Scripting.FileSystemObject")
        	If FSO.FileExists(logPath & "\OU_Log.txt") = True Then
        		Set objFSOwriteline = FSO.OpenTextFile(logPath & "\OU_Log.txt", 8,True)
        		objFSOwriteline.WriteLine(line)
        		objFSOwriteline.close
        	Else
        		Set objFSOwriteline = FSO.CreateTextFile(logPath & "\OU_Log.txt")
        		objFSOwriteline.WriteLine(line)
        		objFSOwriteline.close
        	End If
        	
        	' Echo to screen as well
        	WScript.Echo (line)
        	
        	Set objFSOwriteline = nothing
        	Set FSO = nothing
        End Function
        
        '===================================================================
        Function getLogPath()
        	Dim temp,temp2
        	temp = split(wscript.scriptfullname,"\")
        	for i = 0 to ubound(temp) - 1
        		temp2 = temp2 & temp(i) & "\"
        	next
        	getLogPath = temp2
        End Function
        
        '===================================================================
        Function usage()
        	wscript.echo "Script Usage:cscript DELACES.vbs /DOM:<domain> /USER:<username>"
        	WScript.Echo vbTAB & "e.g. cscript DELACES.vbs /DOM:corp.pg.eon.net /USER:""Corp\Account Operators"""
        End Function


        Tom
        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

        Anything you say will be misquoted and used against you

        Comment


        • #5
          Re: Remove explicit permissions from AD Objects

          Originally posted by Stonelaughter View Post
          OK guys - here is a script written by one of our Windows Implementation Specialists;
          please do not use it without including the ownership information at the top.
          Tom, that is a nice script!

          Thank you for updating the thread.

          \Rems

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment


          • #6
            Re: Remove explicit permissions from AD Objects

            Thanks Rems I'll pass on your compliments to Nick


            Tom
            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

            Anything you say will be misquoted and used against you

            Comment

            Working...
            X