Not completely sure how to work around it, but they are different group types. Account Operators are built-in domain local accounts whereas your test group is not.
Curious why you want to apply this to each account vs. each OU if inheritably permissions is in effect? There may be something helpful here to jog the thought process: http://www.microsoft.com/technet/community/scriptcenter/user/scrug128.mspx -ajm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, July 09, 2004 4:46 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Scripting new ACE into DACL fails with Account Operators I'm trying to fix up some user accounts that used to be in one of the admin groups protected by AdminSDholder. Using Robbie's most excellent cookbook, I wrote a script to read a list of users and for each one, do the following: - set AdminCount to zero - turn on the "Allow Inheritable Permissions from parent..." checkbox - grant Account Operators full control The first two work fine. The last one fails with an error "The Security ID structure is invalid". I tried replacing the string "TADS\Account Operators" with "TADS\Test Group", and that works fine. Is there something that prevents Builtin groups from working here ? Also, I have no idea why this works even though the line oSD.DiscretionaryACL = oDACL is commented out. Here's the applicable snippet of code: <SNIP> '### Get Security Descriptor for this user ### set oSD = oUser.Get("ntSecurityDescriptor") '### Get DACL for this Security Descriptor set oDACL = oSD.DiscretionaryACL '### Create a new ACE set oACE = CreateObject("AccessControlEntry") oACE.Trustee = "TADS\Account Operators" oACE.AccessMask = ADS_RIGHT_GENERIC_ALL oACE.AceFlags = 0 oACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT '### Add new ACE to DACL oDACL.AddAce oACE '### Replace DACL in Security Descriptor with the updated DACL 'oSD.DiscretionaryACL = oDACL '### Replace Security Descriptor with the updated SD oUser.Put "ntSecurityDescriptor", oSD oUser.setInfo wscript.echo "error is " & err.number </SNIP> Most of this is lifted from Recipe 13.6 in the Tuna book. Dave List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/