mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
674 lines
22 KiB
674 lines
22 KiB
'------------------------------------------------------
|
|
' Constant Definitions
|
|
'------------------------------------------------------
|
|
|
|
'------------------------------------------------------
|
|
' AceMask
|
|
|
|
Const ADS_RIGHT_DELETE = &H10000&
|
|
Const ADS_RIGHT_READ_CONTROL = &H20000&
|
|
Const ADS_RIGHT_WRITE_DAC = &H40000&
|
|
Const ADS_RIGHT_WRITE_OWNER = &H80000&
|
|
Const ADS_RIGHT_SYNCHRONIZE = &H100000&
|
|
Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000&
|
|
Const ADS_RIGHT_GENERIC_READ = &H80000000&
|
|
Const ADS_RIGHT_GENERIC_WRITE = &H40000000&
|
|
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000&
|
|
Const ADS_RIGHT_GENERIC_ALL = &H10000000&
|
|
Const ADS_RIGHT_DS_CREATE_CHILD = &H1&
|
|
Const ADS_RIGHT_DS_DELETE_CHILD = &H2&
|
|
Const ADS_RIGHT_ACTRL_DS_LIST = &H4&
|
|
Const ADS_RIGHT_DS_SELF = &H8&
|
|
Const ADS_RIGHT_DS_READ_PROP = &H10&
|
|
Const ADS_RIGHT_DS_WRITE_PROP = &H20&
|
|
Const ADS_RIGHT_DS_DELETE_TREE = &H40&
|
|
Const ADS_RIGHT_DS_LIST_OBJECT = &H80&
|
|
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100&
|
|
|
|
'---------------------------------------------------------
|
|
' Ace Type
|
|
|
|
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
|
|
Const ADS_ACETYPE_ACCESS_DENIED = &H1&
|
|
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2&
|
|
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5&
|
|
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6&
|
|
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7&
|
|
|
|
'---------------------------------------------------------
|
|
' Ace Flags
|
|
|
|
Const ADS_ACEFLAG_INHERIT_ACE = &H2&
|
|
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4&
|
|
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8&
|
|
Const ADS_ACEFLAG_INHERITED_ACE = &H10&
|
|
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f&
|
|
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40&
|
|
Const ADS_ACEFLAG_FAILED_ACCESS = &H80&
|
|
|
|
'---------------------------------------------------------
|
|
' AceFlagType: ADS_FLAGTYPE_ENUM
|
|
|
|
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1&
|
|
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2&
|
|
|
|
' manual error handling
|
|
On error resume next
|
|
|
|
' Checking command line parameters
|
|
|
|
set args = Wscript.Arguments
|
|
|
|
if args.count <> 2 Then
|
|
wscript.echo "The syntax of the command is:"
|
|
wscript.echo "cscript UpdateACL.vbs [ /Domain | /Forest ] <DomainDNSName>"
|
|
wscript.echo "Example: cscript UpdateACL.vbs /Domain example.microsoft.com"
|
|
wscript.quit
|
|
End If
|
|
|
|
|
|
domain = ""
|
|
|
|
If args.count = 2 then
|
|
domain = args(1)
|
|
end if
|
|
|
|
If args (0) = "/Domain" Then
|
|
call ACLDomain( domain )
|
|
else
|
|
if args (0) = "/Forest" Then
|
|
call Forest( domain )
|
|
else
|
|
wscript.echo "The syntax of the command is:"
|
|
wscript.echo "cscript UpdateACL.vbs [ /Domain | /Forest ] <DomainDNSName>"
|
|
wscript.echo "Example: cscript UpdateACL.vbs /Domain example.microsoft.com"
|
|
wscript.quit
|
|
end if
|
|
end if
|
|
|
|
|
|
'====================================================================
|
|
' Work that has to be performed on a domain level
|
|
'====================================================================
|
|
|
|
Function ACLDomain ( domain )
|
|
|
|
On error resume next
|
|
|
|
if domain = "" then
|
|
Set rootDSE = GetObject("LDAP://RootDSE")
|
|
Set dom = GetObject("LDAP://" & rootDSE.Get("defaultNamingContext"))
|
|
else
|
|
Set dom = GetObject("LDAP://" & domain )
|
|
if err <> 0 then
|
|
wscript.echo "Error: Unable to bind to domain " & domain & " , Error is: " & err
|
|
wscript.quit
|
|
end if
|
|
end if
|
|
|
|
Set sd = dom.Get("ntSecurityDescriptor")
|
|
|
|
if err <> 0 then
|
|
wscript.error "Error reading security descriptor, error is " & err
|
|
wscript.quit
|
|
end if
|
|
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
'---------------------------------------------------------------------------------
|
|
' Adding the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group
|
|
' This should only be done if the Everyone is member of the Pre-Windows 2000 Compatible Access group
|
|
'---------------------------------------------------------------------------------
|
|
set grp = dom.GetObject ("group", "CN=Pre-Windows 2000 Compatible Access,CN=Builtin")
|
|
|
|
' S-1-1-0 is in the Everyone group:
|
|
set usr = dom.GetObject ("foreignSecurityPrincipal", "CN=S-1-1-0,CN=ForeignSecurityPrincipals")
|
|
|
|
if grp.IsMember (usr.AdsPath) then
|
|
grp.PutEx 3, "member", array("<SID=010100000000000507000000>")
|
|
grp.SetInfo
|
|
if err <> 0 then
|
|
if err = -2147019886 then ' Anonymous Logon already is a member of this group
|
|
wscript.echo "Anonymous Logon is member of Pre-Windows 2000 Compatible Access Group"
|
|
else
|
|
wscript.echo "Error adding Anonymous Logon to Pre-Windows 2000 Compatible Access group, error code is " & err
|
|
end if
|
|
else
|
|
wscript.echo "Anonymous Logon to Pre-Windows 2000 Compatible Access Group added"
|
|
end if
|
|
|
|
else
|
|
wscript.echo "Everyone group is not member of Pre-Windows 2000 Compatible Access Group"
|
|
wscript.echo "Anonymous Logon group not added to Pre-Windows 2000 Compatible Access Group"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
'==============================================================================
|
|
' ACL changes
|
|
'===============================================================================
|
|
|
|
' OBJECT: Domain DNS
|
|
'------------------------------------------------------------------------------
|
|
|
|
'(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)
|
|
' OA: Access Allowed Object Ace Type
|
|
' RP: DS Read Property (Access Type)
|
|
' c7407360-20bf-11d0-a768-00aa006e0529: Domain Password (Property Set)
|
|
' RU: Pre-Windows 2000 Compatible Access Group
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access"
|
|
|
|
ace.AccessMask = ADS_RIGHT_DS_READ_PROP
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.AceFlags = 0
|
|
ace.ObjectType = "{C7407360-20BF-11D0-A768-00AA006E0529}"
|
|
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
|
|
|
|
dacl.AddAce ace
|
|
Set ace = Nothing
|
|
|
|
|
|
' (OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)
|
|
' OA: Access Allowed Object Ace Type
|
|
' RP: DS Read Property
|
|
' RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a: Domain-Other-Parameters (Property Set)
|
|
' RU: Pre-Windows 2000 Compatible Access Group
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access"
|
|
ace.AccessMask = ADS_RIGHT_DS_READ_PROP
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.ObjectType = "{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}"
|
|
ace.AceFlags = 0
|
|
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
|
|
|
|
dacl.AddAce ace
|
|
Set ace = Nothing
|
|
|
|
' (OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)
|
|
' OA: Access Allowed Object Ace Type
|
|
' RP: DS Read Property
|
|
' RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a: Domain-Other-Parameters (Property Set)
|
|
' AU: NT AUTHORITY\AUTHENTICATED USERS
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\AUTHENTICATED USERS"
|
|
ace.AccessMask = ADS_RIGHT_DS_READ_PROP
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.ObjectType = "{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}"
|
|
ace.AceFlags = 0
|
|
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
|
|
|
|
dacl.AddAce ace
|
|
Set ace = Nothing
|
|
|
|
' (OA;CIIO;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
|
|
' OA: Access Allowed Object Ace Type
|
|
' CIIO: Flags Container Inheritance and ADS_ACEFLAG_INHERIT_ONLY_ACE
|
|
' Rights:
|
|
' WP: ADS_RIGHT_DS_WRITE_PROP
|
|
' 3e0abfd0-126a-11d0-a060-00aa006c33ed: sAMAccountName attribute
|
|
' bf967a86-0de6-11d0-a285-00aa003049e2: computer object
|
|
' CO: Creator owner
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "CREATOR OWNER"
|
|
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.AccessMask = ADS_RIGHT_DS_WRITE_PROP
|
|
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE or ADS_ACEFLAG_INHERIT_ONLY_ACE
|
|
ace.InheritedObjectType = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"
|
|
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT or ADS_FLAG_OBJECT_TYPE_PRESENT
|
|
ace.ObjectType = "{3E0ABFD0-126A-11D0-A060-00AA006C33ED}"
|
|
dacl.AddAce ace
|
|
Set ace = Nothing
|
|
|
|
' (A;CI;LCRPLORC;;bf967aa5-0de6-11d0-a285-00aa003049e2;ED)
|
|
' A: Access Allowed Ace Type
|
|
' CI: Flag: Container Inheritance
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' bf967aa5-0de6-11d0-a285-00aa003049e2: Class Organizational Unit
|
|
' ED: Enterprise Domain Controllers
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE
|
|
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
|
|
ace.InheritedObjectType = "{BF967AA5-0DE6-11D0-A285-00AA003049E2}"
|
|
dacl.AddAce ace
|
|
Set ace = Nothing
|
|
|
|
|
|
|
|
'-- commit changes
|
|
sd.DiscretionaryACL = dacl
|
|
dom.Put "ntSecurityDescriptor", Array(sd)
|
|
dom.SetInfo
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error setting Domain Password Property Set ACE set for RU, error code is " & err
|
|
wscript.echo "Error setting Domain Other Parameters ACE set for RU, error code is " & err
|
|
wscript.echo "Inheritable rights on Organizational Units set on Domain Object for RU, error code is " & err
|
|
else
|
|
wscript.echo "Domain Password Property Set ACE set for RU"
|
|
wscript.echo "Domain Other Parameters ACE set for RU"
|
|
wscript.echo "Inheritable rights on Organizational Units set on Domain Object for RU"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
'(A;;LCRPLORC;;;ED)
|
|
' A: Access Allowed Ace Type
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' ED: Enterprise Domain Controllers
|
|
|
|
' Domain Policy first:
|
|
|
|
Set dp = dom.GetObject("GroupPolicyContainer", "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System")
|
|
Set sd = dp.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
|
|
dacl.AddAce ace
|
|
|
|
'-- commit changes
|
|
sd.DiscretionaryACL = dacl
|
|
dp.Put "ntSecurityDescriptor", Array(sd)
|
|
dp.SetInfo
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error setting Domain policy ACE for Enterprise Domain Controllers, error code is " & err
|
|
else
|
|
wscript.echo "Domain policy ACE for Enterprise Domain Controllers set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
|
|
' Domain Controller Policy next:
|
|
Set dcp = dom.GetObject("GroupPolicyContainer", "CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System")
|
|
Set sd = dcp.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
|
|
dacl.AddAce ace
|
|
|
|
'-- commit changes
|
|
sd.DiscretionaryACL = dacl
|
|
dcp.Put "ntSecurityDescriptor", Array(sd)
|
|
dcp.SetInfo
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error setting Domain Controller policy ACE for Enterprise Domain Controllers, error code is " & err
|
|
else
|
|
wscript.echo "Domain Controller policy ACE for ED set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
|
|
' For all other group policies, the same ACE needs to be set on the container
|
|
' as container inheritable
|
|
' (A;CI;LCRPLORC;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;ED)
|
|
'
|
|
' A: Access Allowed Ace Type
|
|
' CI: Flag: Container Inheritance
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' f30e3bc2-9ff0-11d1-b603-0000f80367c1: class GroupPolicyContainer
|
|
' ED: Enterprise Domain Controllers
|
|
|
|
Set PCon = dom.GetObject("Container", "CN=Policies,CN=System")
|
|
Set sd = PCon.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE or ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE or ADS_ACEFLAG_INHERIT_ONLY_ACE
|
|
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
|
|
ace.InheritedObjectType = "{f30e3bc2-9ff0-11d1-b603-0000f80367c1}"
|
|
|
|
dacl.AddAce ace
|
|
|
|
'-- commit changes
|
|
sd.DiscretionaryACL = dacl
|
|
PCon.Put "ntSecurityDescriptor", Array(sd)
|
|
PCon.SetInfo
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error setting Policy Container ACE for Enterprise Domain Controllers, error code is " & err
|
|
else
|
|
wscript.echo "Policy Container ACE for Enterprise Domain Controllers set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
'--------------------------------------------------------------------
|
|
' OBJECT: AdminSDHolder: Allow changing password (self)
|
|
'--------------------------------------------------------------------
|
|
Set sdHolder = dom.GetObject("container", "CN=AdminSDHolder,CN=System")
|
|
Set sd = sdHolder.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
|
|
' (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) (RAID 177490)
|
|
' OA: Access Allowed Object Ace Type
|
|
' Rights:
|
|
' CR: All Extended Rights
|
|
' ab721a53-1e2f-11d0-9819-00aa0040529b: User Change Password
|
|
' PS: Personal Self
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\SELF"
|
|
ace.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.AceFlags = 0
|
|
ace.ObjectType = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
|
|
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
|
|
dacl.AddAce ace
|
|
Set ace = Nothing
|
|
|
|
|
|
'---------------------------------------------------------------------------------
|
|
' OBJECT: AdminSDHolder: Allow Certificate Admins to publish certificates to admins
|
|
'---------------------------------------------------------------------------------
|
|
|
|
' (OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA) (RAID 231740)
|
|
' OA: Access Allowed Object Ace Type
|
|
' Rights:
|
|
' RP: DS Read Property
|
|
' RW: DS Write Property
|
|
' Property: bf967a7f-0de6-11d0-a285-00aa003049e2: userCert
|
|
' CA: Certificate Server Administrators
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "Cert Publishers"
|
|
ace.AccessMask = ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
|
|
ace.AceFlags = 0
|
|
ace.ObjectType = "{BF967A7F-0DE6-11D0-A285-00AA003049E2}"
|
|
dacl.AddAce ace
|
|
|
|
sd.DiscretionaryACL = dacl
|
|
sdHolder.Put "ntSecurityDescriptor", Array(sd)
|
|
sdHolder.SetInfo
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error setting AdminSDHolder ACEs, error code is " & err
|
|
else
|
|
wscript.echo "AdminSDHolder ACEs set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
|
|
|
|
'--------------------------------------------------------------------
|
|
' OBJECT: GPOUsers
|
|
'--------------------------------------------------------------------
|
|
Set gpo = dom.GetObject("container", "CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System")
|
|
Set sd = gpo.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
' (A;;LCRPLORC;;;ED)
|
|
' A: Access Allowed Ace Type
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' ED: Enterprise Domain Controllers
|
|
|
|
' Note: Has to be applied to two User GPOs:
|
|
' CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
' CN=User, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AceFlags = 0
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
dacl.AddAce ace
|
|
|
|
sd.DiscretionaryACL = dacl
|
|
gpo.Put "ntSecurityDescriptor", Array(sd)
|
|
gpo.SetInfo
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error setting ACE for Enterprise Domain Controllers on user domain policy, error code is " & err
|
|
else
|
|
wscript.echo "ACE for Enterprise Domain Controllers on user domain policy set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
|
|
|
|
Set gpo = dom.GetObject("container", "CN=User,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System")
|
|
Set sd = gpo.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
' (A;;LCRPLORC;;;ED)
|
|
' A: Access Allowed Ace Type
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' ED: Enterprise Domain Controllers
|
|
' Note: Has to be applied to two User GPOs:
|
|
' CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
' CN=User, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AceFlags = 0
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
dacl.AddAce ace
|
|
|
|
sd.DiscretionaryACL = dacl
|
|
gpo.Put "ntSecurityDescriptor", Array(sd)
|
|
gpo.SetInfo
|
|
if err <> 0 then
|
|
wscript.echo "Error setting ACE for Enterprise Domain Controllers on user DC policy, error code is " & err
|
|
else
|
|
wscript.echo "ACE for Enterprise Domain Controllers on user DC policy set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
|
|
|
|
'--------------------------------------------------------------------
|
|
' OBJECT: GPOMachines
|
|
'--------------------------------------------------------------------
|
|
Set gpo = dom.GetObject("container", "CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System")
|
|
Set sd = gpo.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
' (A;;LCRPLORC;;;ED)
|
|
' A: Access Allowed Ace Type
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' ED: Enterprise Domain Controllers
|
|
' Note: Has to be applied to two machines GPOs:
|
|
' CN=Machine, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
' CN=Machine, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AceFlags = 0
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
dacl.AddAce ace
|
|
|
|
sd.DiscretionaryACL = dacl
|
|
gpo.Put "ntSecurityDescriptor", Array(sd)
|
|
gpo.SetInfo
|
|
if err <> 0 then
|
|
wscript.echo "Error setting ACE for Enterprise Domain Controllers on machine domain policy, error code is " & err
|
|
else
|
|
wscript.echo "ACE for Enterprise Domain Controllers on machine domain policy set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
|
|
|
|
Set gpo = dom.GetObject("container", "CN=Machine,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System")
|
|
Set sd = gpo.Get("ntSecurityDescriptor")
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
' (A;;LCRPLORC;;;ED)
|
|
' A: Access Allowed Ace Type
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' ED: Enterprise Domain Controllers
|
|
' Note: Has to be applied to two machine GPOs:
|
|
' CN=Machine, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
' CN=Machine, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AceFlags = 0
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
dacl.AddAce ace
|
|
|
|
sd.DiscretionaryACL = dacl
|
|
gpo.Put "ntSecurityDescriptor", Array(sd)
|
|
gpo.SetInfo
|
|
if err <> 0 then
|
|
wscript.echo "Error setting ACE for Enterprise Domain Controllers on machine DC policy, error code is " & err
|
|
else
|
|
wscript.echo "ACE for Enterprise Domain Controllers on machine DC policy set"
|
|
end if
|
|
|
|
err = 0
|
|
|
|
Set ace = Nothing
|
|
|
|
End function ' Domain function
|
|
|
|
'==============================================================================
|
|
' Forest function
|
|
'==============================================================================
|
|
|
|
Function Forest ( domain )
|
|
|
|
On error resume next
|
|
|
|
if domain = "" then
|
|
Set RootDSE = GetObject("LDAP://RootDSE")
|
|
else
|
|
Set RootDSE = GetObject("LDAP://" & domain & "/RootDSE" )
|
|
if err <> 0 then
|
|
wscript.echo "Error: Unable to bind to domain " & domain & " , Error is: " & err
|
|
wscript.quit
|
|
end if
|
|
end if
|
|
|
|
|
|
'============================================
|
|
' OBJECT: Site
|
|
'=============================================
|
|
|
|
' (A;OI;LCRPLORC;;bf967ab3-0de6-11d0-a285-00aa003049e2;ED)
|
|
' A: Access Allowed Ace Type
|
|
' OI: Flag: Object Inheritance
|
|
' Rights:
|
|
' LC: DS List Children
|
|
' RP: DS Read Property
|
|
' LO: DS List Object
|
|
' RC: Read Control
|
|
' bf967ab3-0de6-11d0-a285-00aa003049e2: Schema GUID for sites
|
|
' ED: Enterprise Domain Controllers
|
|
|
|
Set cfg = GetObject("LDAP://" & RootDSE.Get("configurationNamingContext"))
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error binding to configuration naming context, error is " & err
|
|
wscript.quit
|
|
end if
|
|
|
|
Set site = cfg.GetObject("sitesContainer", "CN=Sites")
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error binding to sites container, error is " & err
|
|
wscript.quit
|
|
end if
|
|
|
|
Set sd = site.Get("ntSecurityDescriptor")
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error getting security descriptor on sites container, error is " & err
|
|
wscript.quit
|
|
end if
|
|
|
|
Set dacl = sd.DiscretionaryACL
|
|
|
|
|
|
Set ace = CreateObject("AccessControlEntry")
|
|
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
|
|
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
|
|
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
|
|
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE or ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE or ADS_ACEFLAG_INHERIT_ONLY_ACE
|
|
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
|
|
ace.InheritedObjectType = "{bf967ab3-0de6-11d0-a285-00aa003049e2}"
|
|
dacl.AddAce ace
|
|
|
|
sd.DiscretionaryACL = dacl
|
|
site.Put "ntSecurityDescriptor", Array(sd)
|
|
|
|
site.SetInfo
|
|
|
|
if err <> 0 then
|
|
wscript.echo "Error setting inherited ACE for Enterprise Domain Controllers on Sites container, error code is " & err
|
|
else
|
|
wscript.echo "Inherited ACE for Enterprise Domain Controllers on Sites container set"
|
|
end if
|
|
|
|
Set ace = Nothing
|
|
|
|
err = 0
|
|
|
|
End function
|