RE: [ActiveDir] Scripting Delegation Question

[Sakari Kouti]

Hi Dan,   You don't have to remove any ACEs to achieve what you want. Full Control corresponds to 13 bits with a value of 1 in AccessMask. You need to use an AccessMask that excludes Delete and Delete Subtree (you didn't mention Delete All Child Objects, but I would exclude that too).   So you grant ADS_RIGHT_FULL_CONTROL minus ADS_RIGHT_DELETE minus ADS_RIGHT_DS_DELETE_TREE minus ADS_RIGHT_DS_DELETE_CHILD, or the corresponding numeric hex value E01BD. There is a _vbscript_ :-) sample on http://www.kouti.com/scripts.htm with the name CH11-37 ADSI Add ACEs.vbs.   If you want to stick to DSACLS, exclude SD, DT, and DC. Or in practice, you need to grant the remaining ten: RC, WD, WO, LC, CC, WS, WP, RP, CA, and LO.   DSACLS syntax uses no commas, so the actual string would be RCWDWOLCCCWSWPRPCALO   Yours, Sakari     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Friday, May 20, 2005 8:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting Delegation Question I am at the latter stages of a script to ‘pump out’ delegation from a business administrative model description.  I’ve had great luck automating DSACLS to drive delegation.  Now I’ve hit a wall though and maybe someone can help.   DSACLS won’t let you remove a single permission.  It will let you remove all permissions for a security principal; it will let you deny; but it won’t remove an allowed permission.   My goal is to be able to drive a delegation of “almost full control” of users & groups, whereby an admin group can do everything except delete, because we want to provision the deletion process to avoid accidental deletions.  I’d like to delegate this as I would in the UI: click “Full Control” then UNCHECK  “Delete” and “Delete Subtree”.   Does anyone have any ideas how to script this?  I’d prefer not to have to dive into the security descriptor using _vbscript_, but if that’s what it takes I’ll do that, if someone has a sample.   THANKS!     Dan   (BTW: Yes, I’ll be posting this tool for everyone once it’s finished)