You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
103 lines
2.7 KiB
103 lines
2.7 KiB
on error resume next
|
|
|
|
set l = CreateObject("WbemScripting.SWbemLocatorEx")
|
|
set c = CreateObject("WbemScripting.SWbemNamedValueSet")
|
|
|
|
set ldap = l.Open ("umi://nw01t1/ldap", "nw01t1domnb\administrator", "nw01t1domnb")
|
|
|
|
Set objArgs = Wscript.Arguments
|
|
|
|
|
|
if objArgs.Count > 0 then
|
|
if objArgs(0) = "?" OR objArgs(0) = "/?" OR objArgs(0) = "h" OR objArgs(0) = "/h" _
|
|
OR objArgs(0) = "-?" OR objArgs(0) = "-h" then
|
|
WScript.Echo "Usage: cscript sd.vbs [[o][g][d][s]]"
|
|
WScript.Quit
|
|
end if
|
|
if InStr( 1, objArgs(0), "o", 1) > 0 then c.Add "INCLUDE_OWNER", true
|
|
if InStr( 1, objArgs(0), "g", 1) > 0 then c.Add "INCLUDE_GROUP", true
|
|
if InStr( 1, objArgs(0), "d", 1) > 0 then c.Add "INCLUDE_DACL", true
|
|
if InStr( 1, objArgs(0), "s", 1) > 0 then c.Add "INCLUDE_SACL", true
|
|
else
|
|
c.Add "INCLUDE_GROUP", true
|
|
c.Add "INCLUDE_OWNER", true
|
|
c.Add "INCLUDE_DACL", true
|
|
c.Add "INCLUDE_SACL", true
|
|
end if
|
|
|
|
set cont = ldap.Get (".CN=users", &H40000, c)
|
|
|
|
set sd = cont.GetSecurityDescriptor_
|
|
|
|
if err then WScript.Echo "[" & Err.Description & "]"
|
|
|
|
WScript.Echo
|
|
WScript.Echo "SD"
|
|
WScript.Echo "=="
|
|
WScript.Echo
|
|
|
|
WScript.Echo "Revision:", sd.Revision
|
|
WScript.Echo "Control:", sd.Control
|
|
WScript.Echo "Owner:", sd.Owner
|
|
WScript.Echo "OwnerDefaulted:", sd.OwnerDefaulted
|
|
WScript.Echo "Group:", sd.Group
|
|
WScript.Echo "GroupDefaulted:", sd.GroupDefaulted
|
|
WScript.Echo "DaclDefaulted:", sd.DaclDefaulted
|
|
WScript.Echo "SaclDefaulted:", sd.SaclDefaulted
|
|
|
|
set dacl = sd.DiscretionaryAcl
|
|
|
|
WScript.Echo
|
|
WScript.Echo "DACL"
|
|
WScript.Echo "===="
|
|
WScript.Echo
|
|
|
|
DisplayACL dacl
|
|
|
|
set sacl = sd.SystemAcl
|
|
|
|
WScript.Echo
|
|
WScript.Echo "SACL"
|
|
WScript.Echo "===="
|
|
WScript.Echo
|
|
|
|
DisplayACL sacl
|
|
|
|
Sub DisplayAcl (acl)
|
|
on error resume next
|
|
|
|
' NOTE: The following test should really be IsObject, but
|
|
' for some reason using [ogd] we don't get a nothing back from the
|
|
' IADsSecurityDescriptor.SystemAcl and DiscretionaryAcl calls, we get what
|
|
' looks like VT_NULL.
|
|
'
|
|
' We can change this to use IsNull instead to fix that test, but then
|
|
' the [o] test fails here with "Object Required". It seems that sometimes
|
|
' the omission of the ACL from the SD is marked with a VT_NULL and sometimes
|
|
' is literally marked as "Nothing".
|
|
if IsObject(acl) then
|
|
if Not acl is Nothing then
|
|
|
|
if err <> 0 then
|
|
WScript.Echo "No ACL Present"
|
|
else
|
|
Wscript.Echo "AceCount:", acl.AceCount
|
|
WScript.Echo "AclRevision:", acl.AclRevision
|
|
|
|
for each ace in acl
|
|
DisplayAce ace
|
|
next
|
|
end if
|
|
else
|
|
WScript.Echo "No ACL Present"
|
|
end if
|
|
else
|
|
WScript.Echo "No ACL Present"
|
|
end if
|
|
End Sub
|
|
|
|
Sub DisplayAce (ace)
|
|
on error resume next
|
|
WScript.Echo " " & Hex(ace.AccessMask) & " " & ace.AceType & " " & ace.Trustee
|
|
End Sub
|
|
|