VBScript to manage receive-as A permission
There have been lots of variations on forums all around, I’ve tried to make this script more clean and easy to integrate in other scripting/cmd tools:
strUser = wscript.arguments(0)
'CN=testuser,CN=Users,DC=t4evmdemo,DC=local
strPermissionUser = wscript.arguments(1)
'T4EVMDEMOhelpdeskuser
strPermission = wscript.arguments(2)
'allow/deny
strPermissionOperation = wscript.arguments(3)
'add/remove
'example: cscript receiveas.vbs "CN=t4e_user,CN=users,DC=t4evmdemo,DC=local" "T4EVMDEMOHelpdeskA" deny remove
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Set objSdUtil = GetObject(“LDAP://” & strUser & “”)
Set objSD = objSdUtil.Get(“ntSecurityDescriptor”)
Set objDACL = objSD.DiscretionaryACL
Set objAce = CreateObject(“AccessControlEntry”)
objAce.Trustee = strPermissionUser
objAce.AceFlags = 0
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objAce.ObjectType = “{ab721a56-1e2f-11d0-9819-00aa0040529b}”
objAce.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
select case strPermission
case “allow”
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
case “deny”
objAce.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
end select
select case strPermissionOperation
case “add”
objDACL.AddAce objAce
case “remove”
objDACL.RemoveAce objAce
end select
objSD.DiscretionaryAcl = objDACL
objSDUtil.Put “ntSecurityDescriptor”, Array(objSD)
objSDUtil.SetInfo