Announcement

Collapse
No announcement yet.

Script to list users that don't inherit permissions

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Script to list users that don't inherit permissions

    Hi,

    I have an issue where there are some user accounts which are not inheriting OU permissions in the domain. This prevents the delegate from performing operations against the user object.
    The main reason they could not perform these operations is that under the user account objects Security Tab > Advanced > the 'Allow permissions from parent to propagate to this object and all child objects. Include these entries explicitly defined here.' is not checked. Therefore the delegation settings for the Help Desk are not being applied to that particular user object.
    I don't want to make any changes at present so I would like to play it safe and only export a list of users which does not have the Inherit permissions check box selected. I can then see how many there are and change if I need to.
    I was hoping that someone would have a script handy to do this? Is this possible?

    Thank you.

  • #2
    Re: Script to list users that don't inherit permissions

    Here's a sample, http://www.cruto.com/resources/vbscr...er-Account.asp

    Open a dos box and use a cscript.exe command line to run the script
    (you can use ">" for redirecting the output to a txt-file instead of showing the results on screen)


    \Rems


    Code:
    Const SE_DACL_PROTECTED = &H1000
    
    ' dn of OU
    StartSearchingFrom = "OU=Company Users,dc=domain,dc=local"
     
    Set rootDSE = GetObject("LDAP://RootDSE")
    Set conn = CreateObject("ADODB.Connection")
    conn.Provider = "ADSDSOObject"
    conn.Open "ADs Provider"
    
    ldapStr = "<LDAP://" & StartSearchingFrom & ">;(&(objectCategory=person)(objectClass=user));adspath;subtree"
    
    Set rs = conn.Execute(ldapStr)
    
    on error resume next
    While Not rs.EOF
    
       Set objUser = GetObject (rs.Fields(0).Value)
    
       Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
       intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
    
    
       strMessage = "Allow inheritable permissions from the parent to " & _
         "propogate to this object and all child objects "
    
       If (intNtSecurityDescriptorControl And SE_DACL_PROTECTED) Then
         WScript.Echo objUser.cn, "Permissions Tab" & vbNewline _
         & strMessage & "is disabled." & vbNewline
    
       End If
     
       rs.MoveNext
    Wend

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment

    Working...
    X