removeDACL_Customers_With_LDAPGroupAdd.vbs

10:31 PM

This one is for administrative use only as it requires Domain Admin rights or administrative rights over the root container and sub objects below the root.
-------------------------------------------------------------------------------------
Option Explicit
On Error Resume Next
 
Dim oCompany
Dim objOU,objSubOU,objUser,objGroup,objLDAPGroup,objParent,objChild,objObject,objSD,objDACL,objACE,objNewACE,objSecDesc
Dim strNewUser,strNewUserLong,strNewGroup,strNewGroupLong,strLDAPGroupLong
 
Const ADS_PROPERTY_CLEAR = 1
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4
Const ADS_GROUP_TYPE_UNIVERSAL_GROUP = &h8
Const ADS_GROUP_TYPE_SECURITY_ENABLED = &H80000000
 
Const READ_ONLY = &H80000000
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = 2
 
Const RootDomain = "DC=cust,DC=corp,DC=opsource,DC=net"
Const CustOU = "OU=Customers,DC=cust,DC=corp,DC=opsource,DC=net"
Const NisDomain = "cust"
Const DList = "domainadmin@latheef.net"
Const oUname = "ldapuser"
Const provider = "LDAP://"
Const secGroup= "OU=Security Groups"
 
'Reads in user input for the Company Name
 
Wscript.Echo " "
Wscript.StdOut.Write "Please enter in the Company Name: "
oCompany = Wscript.StdIn.ReadLine
oCompany = replace(oCompany, " ","")
 
'Create Windows Based LDAP group
 
strNewGroup = oCompany & "_LDAP_Access"
strNewGroupLong = "CN=" & strNewGroup
Set objOU = GetObject("LDAP://OU=Security Groups,OU=" & oCompany & "," & CustOU )
Set objGroup = objOU.Create("Group",strNewGroupLong)
objGroup.Put "sAMAccountName", strNewGroup
objGroup.Put "groupType", ADS_GROUP_TYPE_UNIVERSAL_GROUP or ADS_GROUP_TYPE_SECURITY_ENABLED
objGroup.setInfo
Wscript.Echo "Windows Security Group Created: " & strNewGroup
 
' Add new LDAP group to customer OU for ACL Access
 
Set objNewACE = CreateObject("AccessControlEntry")
objNewACE.Trustee = "CUST\" & oCompany & "_LDAP_Access"
objNewACE.AccessMask = READ_ONLY
objNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objNewACE.AceFlags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
Set objObject = GetObject(provider & "OU=" & oCompany & "," & CustOU)
Set objSecDesc = objObject.Get("ntSecurityDescriptor")
Set objDACL = objSecDesc.DiscretionaryAcl
objDACL.AddAce objNewACE
objSecDesc.DiscretionaryAcl = objDACL
objObject.Put "ntSecurityDescriptor", Array(objSecDesc)
objObject.SetInfo
Wscript.Echo "New LDAP Security Group Added to Customer OU"
 
'Add the "Windows" groups to new customer's LDAP_Access group
 
strNewGroup = oCompany
strNewGroupLong = "CN=" & strNewGroup & " Admins"
strLDAPGroupLong = "CN=" & oCompany & "_LDAP_Access"
 
Set objGroup = GetObject(provider & strNewGroupLong & ",OU=Windows,OU=Security Groups,OU=" & oCompany & "," & CustOU )
Set objLDAPGroup = GetObject(provider & strLDAPGroupLong & ",OU=Security Groups,OU=" & oCompany & "," & CustOU )
 
objLDAPGroup.add(objGroup.ADsPath)     
 
strNewGroupLong = "CN=" & strNewGroup & " Users"
Set objGroup = GetObject(provider & strNewGroupLong & ",OU=Windows,OU=Security Groups,OU=" & oCompany & "," & CustOU )
Set objLDAPGroup = GetObject(provider & strLDAPGroupLong & ",OU=Security Groups,OU=" & oCompany & "," & CustOU )
objLDAPGroup.add(objGroup.ADsPath)     
 
 
'Add the "UNIX/LINUX" groups to new customer's LDAP_Access group
 
strNewGroupLong = "CN=" & oCompany
Set objGroup = GetObject(provider & strNewGroupLong & ",OU=UNIX_LINUX,OU=Security Groups,OU=" & oCompany & "," & CustOU )
Set objLDAPGroup = GetObject(provider & strLDAPGroupLong & ",OU=Security Groups,OU=" & oCompany & "," & CustOU )
objLDAPGroup.add(objGroup.ADsPath)     
         
strNewGroup = oCompany & "_sudo"
strNewGroupLong = "CN=" & strNewGroup
Set objGroup = GetObject(provider & strNewGroupLong & ",OU=UNIX_LINUX,OU=Security Groups,OU=" & oCompany & "," & CustOU )
Set objLDAPGroup = GetObject(provider & strLDAPGroupLong & ",OU=Security Groups,OU=" & oCompany & "," & CustOU )
objLDAPGroup.add(objGroup.ADsPath)     
 
'Add the new customer's LDAP_Access group to the OpSource LDAP_Access Group
 
strNewGroup = oCompany  & "_LDAP_Access"
strNewGroupLong = "CN=" & oCompany  & "_LDAP_Access"
Set objGroup = GetObject(provider & strNewGroupLong & ",OU=Security Groups,OU=" & oCompany & "," & CustOU )
Set objLDAPGroup = GetObject(provider & "CN=OpSource_LDAP_Access,OU=Restricted,OU=Security Groups,OU=OpSource," & RootDomain )
objLDAPGroup.add(objGroup.ADsPath)     
Wscript.Echo "Customer LDAP Group Added to OpSource_LDAP_Access group"
 
' This section enumerated all users in the specified customer's OU
 
' Specify the OU/Container.
Set objOU = GetObject("LDAP://OU=" & oCompany & ",OU=Customers,DC=cust,DC=corp,DC=opsource,DC=net")
 
Call SetDaclUser(objOU)
 
Sub SetDaclUser(objParent)
 
  ' Filter on objects of class user.
  objParent.Filter = Array("user")
 
  ' Enumerate user objects.
  For Each objUser In objParent
 
    Set objSD = objUser.Get("ntSecurityDescriptor")
    Set objDACL = objSD.DiscretionaryACL
 
    For Each objACE in objDACL
      If objACE.Trustee = "NT AUTHORITY\Authenticated Users" Then
        objDACL.RemoveAce objACE
      End If
      
      If objACE.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access" Then
        objDACL.RemoveAce objACE
      End If
 
      If objACE.Trustee = "BUILTIN\Print Operators" Then
        objDACL.RemoveAce objACE
      End If
    Next
 
    objSD.DiscretionaryAcl = objDacl
    objUser.Put "ntSecurityDescriptor", Array(objSD)
    objUser.SetInfo
    'WScript.Echo "Modified the user object: " & objUser
 
  Next
 
  ' Filter on child OU's/Containers.
  objParent.Filter = Array("container", "organizationalUnit")
  For Each objChild In objParent
   
  ' Call this subroutine recursively for each child container/OU.
    Call SetDaclUser(objChild)
   
  Next
   
End Sub
 
 
' This section enumerated all groups in the specified customer's OU
 
' Specify the OU/Container.
Set objOU = GetObject("LDAP://OU=" & oCompany & ",OU=Customers,DC=cust,DC=corp,DC=opsource,DC=net")
 
Call SetDaclGroup(objOU)
 
Sub SetDaclGroup(objParent)
 
  ' Filter on objects of class group.
  objParent.Filter = Array("group")
 
  ' Enumerate user objects.
  For Each objGroup In objParent
 
    Set objSD = objGroup.Get("ntSecurityDescriptor")
    Set objDACL = objSD.DiscretionaryACL
 
    For Each objACE in objDACL
      If objACE.Trustee = "NT AUTHORITY\Authenticated Users" Then
        objDACL.RemoveAce objACE
      End If
       
      If objACE.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access" Then
        objDACL.RemoveAce objACE
      End If
 
      If objACE.Trustee = "BUILTIN\Print Operators" Then
        objDACL.RemoveAce objACE
      End If
    Next
 
    objSD.DiscretionaryAcl = objDacl
    objGroup.Put "ntSecurityDescriptor", Array(objSD)
    objGroup.SetInfo
    'WScript.Echo "Modified the group object: " & objGroup
 
  Next
 
  ' Filter on child OU's/Containers.
  objParent.Filter = Array("container", "organizationalUnit")
  For Each objChild In objParent
   
  ' Call this subroutine recursively for each child container/OU.
    Call SetDaclGroup(objChild)
   
  Next
   
End Sub
 
 
' This section enumerated all OU's in the specified customer's OU
 
' Specify the OU/Container.
Set objOU = GetObject("LDAP://OU=" & oCompany & ",OU=Customers,DC=cust,DC=corp,DC=opsource,DC=net")
 
Set objSD = objOU.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL
 
For Each objACE in objDACL
  If objACE.Trustee = "NT AUTHORITY\Authenticated Users" Then
    objDACL.RemoveAce objACE
  End If
 
  If objACE.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access" Then
    objDACL.RemoveAce objACE
  End If
 
  If objACE.Trustee = "BUILTIN\Print Operators" Then
    objDACL.RemoveAce objACE
  End If
Next
 
objSD.DiscretionaryAcl = objDacl
objOU.Put "ntSecurityDescriptor", Array(objSD)
objOU.SetInfo
'WScript.Echo "Modified the OU object: " & objOU
 
Call SetDaclOU(objOU)
 
Sub SetDaclOU(objParent)
 
  ' Filter on objects of class group.
  objParent.Filter = Array("organizationalUnit")
 
  ' Enumerate user objects.
  For Each objSubOU In objParent
 
    Set objSD = objSubOU.Get("ntSecurityDescriptor")
    Set objDACL = objSD.DiscretionaryACL
 
    For Each objACE in objDACL
      If objACE.Trustee = "NT AUTHORITY\Authenticated Users" Then
        objDACL.RemoveAce objACE
      End If
       
      If objACE.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access" Then
        objDACL.RemoveAce objACE
      End If
 
      If objACE.Trustee = "BUILTIN\Print Operators" Then
        objDACL.RemoveAce objACE
      End If
    Next
 
    objSD.DiscretionaryAcl = objDacl
    objSubOU.Put "ntSecurityDescriptor", Array(objSD)
    objSubOU.SetInfo
    'WScript.Echo "Modified the OU object: " & objSubOU
 
  Next
 
  ' Filter on child OU's/Containers.
  objParent.Filter = Array("container", "organizationalUnit")
  For Each objChild In objParent
   
  ' Call this subroutine recursively for each child container/OU.
    Call SetDaclOU(objChild)
   
  Next
   
End Sub

Share This Story

Tags: , ,

Lorem ipsum dolor sit amet, consectetuer adipiscing elit. Aenean commodo ligula eget dolor Aenean massa.

You Might Also Like

0 comments

Contact Form

Name

Email *

Message *

Translate

Wikipedia

Search results