VBScript to read Active Directory user permissions (ntsecuritydescriptor)

Door: Arnout van der Vorst

07 maart 2008

Product en technologie

Reading AD ACLs isn’t particularly hard, the hard part is translating the information you get to something useful. The VBScript listed below contains all the constants required for you to do the translation to whatever you like.

strUserODN = wscript.arguments(0) strExportFile = wscript.arguments(1) Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_SYNCHRONIZE = &H100000 Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000 Const ADS_RIGHT_GENERIC_READ = &H80000000 Const ADS_RIGHT_GENERIC_WRITE = &H40000000 Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000 Const ADS_RIGHT_GENERIC_ALL = &H10000000 Const ADS_RIGHT_DS_CREATE_CHILD = &H1 Const ADS_RIGHT_DS_DELETE_CHILD = &H2 Const ADS_RIGHT_ACTRL_DS_LIST = &H4 Const ADS_RIGHT_DS_SELF = &H8 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_RIGHT_DS_DELETE_TREE = &H40 Const ADS_RIGHT_DS_LIST_OBJECT = &H80 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
Const ADS_ACETYPE_SYSTEM_ALARM_OBJECT = &H8
Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK = &H9
Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK = &HA
Const ADS_ACETYPE_ACCESS_ALLOWED_CALLBACK_OBJECT = &HB
Const ADS_ACETYPE_ACCESS_DENIED_CALLBACK_OBJECT = &HC
Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK = &HD
Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK = &HE
Const ADS_ACETYPE_SYSTEM_AUDIT_CALLBACK_OBJECT = &HF
Const ADS_ACETYPE_SYSTEM_ALARM_CALLBACK_OBJECT = &H10

Const SENDAS_GUID = “{AB721A54-1E2F-11D0-9819-00AA0040529B}”
Const RECEIVEAS_GUID = “{AB721A56-1E2F-11D0-9819-00AA0040529B}”

set ObjUser = GetObject(“LDAP://” & strUserODN)
set fso = CreateObject(“Scripting.FileSystemObject”)
set output = fso.CreateTextFile(strExportFile, True)

Set objsd = objUser.Get(“ntSecurityDescriptor”)
Set dacl = objsd.DiscretionaryAcl

For Each ace In dacl
strAceType = “”
If (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED) Then
strAceType = “Allow”
ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_DENIED) Then
strAceType = “Deny”
ElseIf (ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
strAceType = “Allow”
End If

strObjectType = “”
if (ace.ObjectType = SENDAS_GUID) Then
strObjectType = “SendAs”
End if

if (ace.ObjectType = RECEIVEAS_GUID) Then
strObjectType = “ReceiveAs”
End If

if len(strObjectType) > 0 and not Instr(ace.Trustee, “SELF”) > 0 then
output.Write strUserODN & “;”
output.Write ace.Trustee & “;”
output.Write strAceType & “;”
output.Write strObjectType & “;”
output.WriteLine “#”
End if
Next

Geschreven door:
Arnout van der Vorst

Arnout van der Vorst is Identity Management Architect bij Tools4ever en al ruim 10 jaar in dienst. Arnout legt zich als Architect toe op het bedenken en ontwikkelen van nieuwe features, oplossingen en diensten van Tools4ever die aansluiten op de vraag uit de markt. Arnout studeerde Hogere Informatica aan de Hogeschool van Utrecht.