Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to programmatically apply access permissions for Windows Server 2003 built-in groups in the Active Directory directory service


View products that this article applies to.

INTRODUCTION

Microsoft Windows Server 2003 introduced several built-in groups to simplify administration of access permissions when the domain is in high-security mode.

By default, the built-in groups have the correct access permissions to the appropriate objects in a new installation of Windows Server 2003 domains. However, in mixed-mode domains and in upgraded domains, some access permissions that were previously selected may not be changed. This issue occurs when a Windows Server 2003 domain controller is added to a Windows 2000 domain. This issue also occurs when a Windows 2000 domain is upgraded to a Windows Server 2003 domain.

↑ Back to the top


More Information

The following scripts demonstrate how to grant access permissions to the Token-Groups-Global-And-Universal (TGGAU) attribute for "BUILT-IN\Windows Authentication Access Group."

Visual Basic Script Code (Modifyacl.vbs)

On Error Resume Next

const ADS_RIGHT_DS_READ_PROP = &H10
const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
const ADS_ACEFLAG_INHERIT_ACE = &H2
const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
' Token-Groups-Global-And-Universal
const TOKEN_GROUPS_PROPERTY_GUID = "{46a9b11d-60ae-405a-b7e8-ff8a58d456d2}"
' BUILTIN\Windows Authentication Access Group
const WINDOWS_AUTH_ACCESS_SID = "S-1-5-32-560"


Set oArgs = WScript.Arguments
if oArgs.Count <> 1 then
WScript.Echo "Usage: modifyacl.vbs <DN of the object to modify>"
WScript.Echo "Ex: modifyacl.vbs OU=test,DC=domain,DC=com"
WScript.Quit(1)
end if

WScript.Echo "Trying to bind to the object " & oArgs(0)
Set oTarget = GetObject( "LDAP://" & oArgs(0) )

If (Err.Number <>0 ) Then
WScript.Echo "Error 0x"+ CStr(Hex(Err.Number)) + " Occurred trying to bind to the object "
Err.Clear
End If

WScript.Echo "Reading security descriptor"
Set oSD = oTarget.Get( "ntSecurityDescriptor" )
Set oACL = oSD.DiscretionaryAcl

If (Err.Number<>0 ) Then
WScript.Echo "Error 0x"+ CStr(Hex(Err.Number)) + " Occurred reading the security descriptor"
Err.Clear
End If

WScript.Echo "Creating new ACE and setting properties"
Set oACE = CreateObject( "AccessControlEntry" )

If (Err.Number<>0 ) Then
WScript.Echo "Error 0x"+ CStr(Hex(Err.Number)) + " Occurred creating new ACE"
Err.Clear
End If

' Right to read properties of the object that is a specific property in this case
oACE.AccessMask = ADS_RIGHT_DS_READ_PROP
' Grants access to the object or to the property in particular
oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
' Child objects inherit this access-control entry.
oACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
' Token-Groups-Global-And-Universal
oACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
oACE.ObjectType = TOKEN_GROUPS_PROPERTY_GUID
' BUILTIN\Windows Authentication Access Group
oACE.Trustee = WINDOWS_AUTH_ACCESS_SID

WScript.Echo "Applying the modified security descriptor to the object"
oACL.AddAce oACE
oSD.DiscretionaryAcl = oAcl
oTarget.Put "ntSecurityDescriptor", oSD
oTarget.SetInfo

If (Err.Number<>0 ) Then
WScript.Echo "Error 0x"+ CStr(Hex(Err.Number)) + " Occurred applying modified security descriptor to the object"
Err.Clear
Else
WScript.Echo "Done!"
End If

↑ Back to the top


References

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

331951 Some applications and APIs require access to authorization information on account objects

↑ Back to the top


Keywords: kbinfo, kbprogramming, kbscript, kbhowto, kb

↑ Back to the top

Article Info
Article ID : 331947
Revision : 5
Created on : 4/10/2019
Published on : 4/10/2019
Exists online : False
Views : 672