How to find out if Inheritable Permissions is checked

Toggle sidebar Toggle sidebar
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I am one of several AD admins and I want to run a query to find out how
many AD objects have this box unchecked. I'm trying to tighten security
on a per-OU level but delegation from the top level isn't working
properly because several user/computer/group objects are not inheriting
the changes that I'm making. Any help/tips would be appreciated.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Best thing would be to post this in the scripting newsgroups, as that flag
is buried in the ACL.

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Paul,

Thanks for pointing me in the right direction. After searching the
scripting newsgroups for just 5 minutes, I already found several
scripting samples.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

You have first to retrieve the securitydescriptor and then check the flag:
SE_DACL_PROTECTED = 4096 for the DACL entry
SE_SACL_PROTECTED = 8192 for the SACL entry

Example
If (iSD.Control And SE_DACL_PROTECTED) = SE_DACL_PROTECTED Then
IsInheritedACE = False
End if

If the flags are not checked it means that the security is inherited.

WinSysBee Support Team
http://www.winsysbee.com


nntp://news.free.fr/microsoft.public.win2000.active_directory/ >

Paul,

Thanks for pointing me in the right direction. After searching the
scripting newsgroups for just 5 minutes, I already found several
scripting samples.



[microsoft.public.win2000.active_directory > ]
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

No problem!

Glad to have helped.

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

That's a good, helpful post!

Thanks to you!

--
Paul Williams

http://www.msresource.net/
http://forums.msresource.net/
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom