subject:"\[ActiveDir\] Scripting ACEs"

RE: [ActiveDir] Scripting ACEs

2003-08-16 Thread Joe

The way ACE's work you should have two ACE's either way, it is simply
how the GUI is interpreting. If you look at the ACE and ACL structures
in MSDN you will see that each ace can only have a single Principal,
access type, and attribute specified. More than likely the way the ACE's
are being ordered when the GUI does it matches a profile it sets up for
decoding them. If you do it from the GUI and then dump from a script you
should be able to duplicate the ordering if that is what you would like
to do. I believe I posted a perl script to ms.public.adsi.general once
or twice that will dump out the ACE's for the ACL of an object
specifically to help determine the ACE's and ordering put together by
the GUI. Google that group for it if you want it, otherwise you can send
me a separate email and I will try to go dig it up at some point for
you. I am a bit in a disarray right now as I we just went through the
power outage plus I am in the middle of moving and at work am buried in
E2K "stuff". I don't know where anything is right now. :op

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, August 14, 2003 12:44 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Scripting ACEs


I'm seeing a discrepancy between setting ACEs through the GUI (Security
tab on an object) and setting them through a script. If I go into the
Security Tab on an OU and set a Deny ACE for some global group on
"Change Password" and "Reset Password" for User objects, I end up with a
single Deny ACE for those two operations. However, if I script it, I
seem to end up with two Deny ACEs, one for "Change Password" and a
second, separate one for "Reset Password."

I'm only setting a single objectType on the scripted ACE at this point,
and having to repeat that code to set the second objectType. Is there a
way to specify multiple objectTypes, or am I stuck with a larger DACL if
I script the ACEs?

Thanks,
Hunter
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Scripting ACEs

2003-08-14 Thread Coleman, Hunter

I'm seeing a discrepancy between setting ACEs through the GUI (Security tab
on an object) and setting them through a script. If I go into the Security
Tab on an OU and set a Deny ACE for some global group on "Change Password"
and "Reset Password" for User objects, I end up with a single Deny ACE for
those two operations. However, if I script it, I seem to end up with two
Deny ACEs, one for "Change Password" and a second, separate one for "Reset
Password."

I'm only setting a single objectType on the scripted ACE at this point, and
having to repeat that code to set the second objectType. Is there a way to
specify multiple objectTypes, or am I stuck with a larger DACL if I script
the ACEs?

Thanks,
Hunter
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Scripting ACEs

[ActiveDir] Scripting ACEs

2 matches

Site Navigation

Mail list logo

Footer information