Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

674 lines
22 KiB

'------------------------------------------------------
' Constant Definitions
'------------------------------------------------------
'------------------------------------------------------
' AceMask
Const ADS_RIGHT_DELETE = &H10000&
Const ADS_RIGHT_READ_CONTROL = &H20000&
Const ADS_RIGHT_WRITE_DAC = &H40000&
Const ADS_RIGHT_WRITE_OWNER = &H80000&
Const ADS_RIGHT_SYNCHRONIZE = &H100000&
Const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &H1000000&
Const ADS_RIGHT_GENERIC_READ = &H80000000&
Const ADS_RIGHT_GENERIC_WRITE = &H40000000&
Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000&
Const ADS_RIGHT_GENERIC_ALL = &H10000000&
Const ADS_RIGHT_DS_CREATE_CHILD = &H1&
Const ADS_RIGHT_DS_DELETE_CHILD = &H2&
Const ADS_RIGHT_ACTRL_DS_LIST = &H4&
Const ADS_RIGHT_DS_SELF = &H8&
Const ADS_RIGHT_DS_READ_PROP = &H10&
Const ADS_RIGHT_DS_WRITE_PROP = &H20&
Const ADS_RIGHT_DS_DELETE_TREE = &H40&
Const ADS_RIGHT_DS_LIST_OBJECT = &H80&
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100&
'---------------------------------------------------------
' Ace Type
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_ACETYPE_ACCESS_DENIED = &H1&
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2&
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5&
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6&
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7&
'---------------------------------------------------------
' Ace Flags
Const ADS_ACEFLAG_INHERIT_ACE = &H2&
Const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &H4&
Const ADS_ACEFLAG_INHERIT_ONLY_ACE = &H8&
Const ADS_ACEFLAG_INHERITED_ACE = &H10&
Const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &H1f&
Const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &H40&
Const ADS_ACEFLAG_FAILED_ACCESS = &H80&
'---------------------------------------------------------
' AceFlagType: ADS_FLAGTYPE_ENUM
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1&
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2&
' manual error handling
On error resume next
' Checking command line parameters
set args = Wscript.Arguments
if args.count <> 2 Then
wscript.echo "The syntax of the command is:"
wscript.echo "cscript UpdateACL.vbs [ /Domain | /Forest ] <DomainDNSName>"
wscript.echo "Example: cscript UpdateACL.vbs /Domain example.microsoft.com"
wscript.quit
End If
domain = ""
If args.count = 2 then
domain = args(1)
end if
If args (0) = "/Domain" Then
call ACLDomain( domain )
else
if args (0) = "/Forest" Then
call Forest( domain )
else
wscript.echo "The syntax of the command is:"
wscript.echo "cscript UpdateACL.vbs [ /Domain | /Forest ] <DomainDNSName>"
wscript.echo "Example: cscript UpdateACL.vbs /Domain example.microsoft.com"
wscript.quit
end if
end if
'====================================================================
' Work that has to be performed on a domain level
'====================================================================
Function ACLDomain ( domain )
On error resume next
if domain = "" then
Set rootDSE = GetObject("LDAP://RootDSE")
Set dom = GetObject("LDAP://" & rootDSE.Get("defaultNamingContext"))
else
Set dom = GetObject("LDAP://" & domain )
if err <> 0 then
wscript.echo "Error: Unable to bind to domain " & domain & " , Error is: " & err
wscript.quit
end if
end if
Set sd = dom.Get("ntSecurityDescriptor")
if err <> 0 then
wscript.error "Error reading security descriptor, error is " & err
wscript.quit
end if
Set dacl = sd.DiscretionaryACL
'---------------------------------------------------------------------------------
' Adding the Anonymous Logon group to the Pre-Windows 2000 Compatible Access group
' This should only be done if the Everyone is member of the Pre-Windows 2000 Compatible Access group
'---------------------------------------------------------------------------------
set grp = dom.GetObject ("group", "CN=Pre-Windows 2000 Compatible Access,CN=Builtin")
' S-1-1-0 is in the Everyone group:
set usr = dom.GetObject ("foreignSecurityPrincipal", "CN=S-1-1-0,CN=ForeignSecurityPrincipals")
if grp.IsMember (usr.AdsPath) then
grp.PutEx 3, "member", array("<SID=010100000000000507000000>")
grp.SetInfo
if err <> 0 then
if err = -2147019886 then ' Anonymous Logon already is a member of this group
wscript.echo "Anonymous Logon is member of Pre-Windows 2000 Compatible Access Group"
else
wscript.echo "Error adding Anonymous Logon to Pre-Windows 2000 Compatible Access group, error code is " & err
end if
else
wscript.echo "Anonymous Logon to Pre-Windows 2000 Compatible Access Group added"
end if
else
wscript.echo "Everyone group is not member of Pre-Windows 2000 Compatible Access Group"
wscript.echo "Anonymous Logon group not added to Pre-Windows 2000 Compatible Access Group"
end if
err = 0
'==============================================================================
' ACL changes
'===============================================================================
' OBJECT: Domain DNS
'------------------------------------------------------------------------------
'(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)
' OA: Access Allowed Object Ace Type
' RP: DS Read Property (Access Type)
' c7407360-20bf-11d0-a768-00aa006e0529: Domain Password (Property Set)
' RU: Pre-Windows 2000 Compatible Access Group
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access"
ace.AccessMask = ADS_RIGHT_DS_READ_PROP
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AceFlags = 0
ace.ObjectType = "{C7407360-20BF-11D0-A768-00AA006E0529}"
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
dacl.AddAce ace
Set ace = Nothing
' (OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)
' OA: Access Allowed Object Ace Type
' RP: DS Read Property
' RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a: Domain-Other-Parameters (Property Set)
' RU: Pre-Windows 2000 Compatible Access Group
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "BUILTIN\Pre-Windows 2000 Compatible Access"
ace.AccessMask = ADS_RIGHT_DS_READ_PROP
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.ObjectType = "{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}"
ace.AceFlags = 0
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
dacl.AddAce ace
Set ace = Nothing
' (OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)
' OA: Access Allowed Object Ace Type
' RP: DS Read Property
' RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a: Domain-Other-Parameters (Property Set)
' AU: NT AUTHORITY\AUTHENTICATED USERS
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\AUTHENTICATED USERS"
ace.AccessMask = ADS_RIGHT_DS_READ_PROP
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.ObjectType = "{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}"
ace.AceFlags = 0
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
dacl.AddAce ace
Set ace = Nothing
' (OA;CIIO;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)
' OA: Access Allowed Object Ace Type
' CIIO: Flags Container Inheritance and ADS_ACEFLAG_INHERIT_ONLY_ACE
' Rights:
' WP: ADS_RIGHT_DS_WRITE_PROP
' 3e0abfd0-126a-11d0-a060-00aa006c33ed: sAMAccountName attribute
' bf967a86-0de6-11d0-a285-00aa003049e2: computer object
' CO: Creator owner
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "CREATOR OWNER"
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AccessMask = ADS_RIGHT_DS_WRITE_PROP
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE or ADS_ACEFLAG_INHERIT_ONLY_ACE
ace.InheritedObjectType = "{BF967A86-0DE6-11D0-A285-00AA003049E2}"
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT or ADS_FLAG_OBJECT_TYPE_PRESENT
ace.ObjectType = "{3E0ABFD0-126A-11D0-A060-00AA006C33ED}"
dacl.AddAce ace
Set ace = Nothing
' (A;CI;LCRPLORC;;bf967aa5-0de6-11d0-a285-00aa003049e2;ED)
' A: Access Allowed Ace Type
' CI: Flag: Container Inheritance
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' bf967aa5-0de6-11d0-a285-00aa003049e2: Class Organizational Unit
' ED: Enterprise Domain Controllers
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
ace.InheritedObjectType = "{BF967AA5-0DE6-11D0-A285-00AA003049E2}"
dacl.AddAce ace
Set ace = Nothing
'-- commit changes
sd.DiscretionaryACL = dacl
dom.Put "ntSecurityDescriptor", Array(sd)
dom.SetInfo
if err <> 0 then
wscript.echo "Error setting Domain Password Property Set ACE set for RU, error code is " & err
wscript.echo "Error setting Domain Other Parameters ACE set for RU, error code is " & err
wscript.echo "Inheritable rights on Organizational Units set on Domain Object for RU, error code is " & err
else
wscript.echo "Domain Password Property Set ACE set for RU"
wscript.echo "Domain Other Parameters ACE set for RU"
wscript.echo "Inheritable rights on Organizational Units set on Domain Object for RU"
end if
err = 0
'(A;;LCRPLORC;;;ED)
' A: Access Allowed Ace Type
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' ED: Enterprise Domain Controllers
' Domain Policy first:
Set dp = dom.GetObject("GroupPolicyContainer", "CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System")
Set sd = dp.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
dacl.AddAce ace
'-- commit changes
sd.DiscretionaryACL = dacl
dp.Put "ntSecurityDescriptor", Array(sd)
dp.SetInfo
if err <> 0 then
wscript.echo "Error setting Domain policy ACE for Enterprise Domain Controllers, error code is " & err
else
wscript.echo "Domain policy ACE for Enterprise Domain Controllers set"
end if
err = 0
Set ace = Nothing
' Domain Controller Policy next:
Set dcp = dom.GetObject("GroupPolicyContainer", "CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System")
Set sd = dcp.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED
dacl.AddAce ace
'-- commit changes
sd.DiscretionaryACL = dacl
dcp.Put "ntSecurityDescriptor", Array(sd)
dcp.SetInfo
if err <> 0 then
wscript.echo "Error setting Domain Controller policy ACE for Enterprise Domain Controllers, error code is " & err
else
wscript.echo "Domain Controller policy ACE for ED set"
end if
err = 0
Set ace = Nothing
' For all other group policies, the same ACE needs to be set on the container
' as container inheritable
' (A;CI;LCRPLORC;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;ED)
'
' A: Access Allowed Ace Type
' CI: Flag: Container Inheritance
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' f30e3bc2-9ff0-11d1-b603-0000f80367c1: class GroupPolicyContainer
' ED: Enterprise Domain Controllers
Set PCon = dom.GetObject("Container", "CN=Policies,CN=System")
Set sd = PCon.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE or ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE or ADS_ACEFLAG_INHERIT_ONLY_ACE
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
ace.InheritedObjectType = "{f30e3bc2-9ff0-11d1-b603-0000f80367c1}"
dacl.AddAce ace
'-- commit changes
sd.DiscretionaryACL = dacl
PCon.Put "ntSecurityDescriptor", Array(sd)
PCon.SetInfo
if err <> 0 then
wscript.echo "Error setting Policy Container ACE for Enterprise Domain Controllers, error code is " & err
else
wscript.echo "Policy Container ACE for Enterprise Domain Controllers set"
end if
err = 0
Set ace = Nothing
'--------------------------------------------------------------------
' OBJECT: AdminSDHolder: Allow changing password (self)
'--------------------------------------------------------------------
Set sdHolder = dom.GetObject("container", "CN=AdminSDHolder,CN=System")
Set sd = sdHolder.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
' (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) (RAID 177490)
' OA: Access Allowed Object Ace Type
' Rights:
' CR: All Extended Rights
' ab721a53-1e2f-11d0-9819-00aa0040529b: User Change Password
' PS: Personal Self
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\SELF"
ace.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AceFlags = 0
ace.ObjectType = "{AB721A53-1E2F-11D0-9819-00AA0040529B}"
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
dacl.AddAce ace
Set ace = Nothing
'---------------------------------------------------------------------------------
' OBJECT: AdminSDHolder: Allow Certificate Admins to publish certificates to admins
'---------------------------------------------------------------------------------
' (OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA) (RAID 231740)
' OA: Access Allowed Object Ace Type
' Rights:
' RP: DS Read Property
' RW: DS Write Property
' Property: bf967a7f-0de6-11d0-a285-00aa003049e2: userCert
' CA: Certificate Server Administrators
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "Cert Publishers"
ace.AccessMask = ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
ace.AceFlags = 0
ace.ObjectType = "{BF967A7F-0DE6-11D0-A285-00AA003049E2}"
dacl.AddAce ace
sd.DiscretionaryACL = dacl
sdHolder.Put "ntSecurityDescriptor", Array(sd)
sdHolder.SetInfo
if err <> 0 then
wscript.echo "Error setting AdminSDHolder ACEs, error code is " & err
else
wscript.echo "AdminSDHolder ACEs set"
end if
err = 0
Set ace = Nothing
'--------------------------------------------------------------------
' OBJECT: GPOUsers
'--------------------------------------------------------------------
Set gpo = dom.GetObject("container", "CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System")
Set sd = gpo.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
' (A;;LCRPLORC;;;ED)
' A: Access Allowed Ace Type
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' ED: Enterprise Domain Controllers
' Note: Has to be applied to two User GPOs:
' CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
' CN=User, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AceFlags = 0
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
dacl.AddAce ace
sd.DiscretionaryACL = dacl
gpo.Put "ntSecurityDescriptor", Array(sd)
gpo.SetInfo
if err <> 0 then
wscript.echo "Error setting ACE for Enterprise Domain Controllers on user domain policy, error code is " & err
else
wscript.echo "ACE for Enterprise Domain Controllers on user domain policy set"
end if
err = 0
Set ace = Nothing
Set gpo = dom.GetObject("container", "CN=User,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System")
Set sd = gpo.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
' (A;;LCRPLORC;;;ED)
' A: Access Allowed Ace Type
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' ED: Enterprise Domain Controllers
' Note: Has to be applied to two User GPOs:
' CN=User, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
' CN=User, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AceFlags = 0
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
dacl.AddAce ace
sd.DiscretionaryACL = dacl
gpo.Put "ntSecurityDescriptor", Array(sd)
gpo.SetInfo
if err <> 0 then
wscript.echo "Error setting ACE for Enterprise Domain Controllers on user DC policy, error code is " & err
else
wscript.echo "ACE for Enterprise Domain Controllers on user DC policy set"
end if
err = 0
Set ace = Nothing
'--------------------------------------------------------------------
' OBJECT: GPOMachines
'--------------------------------------------------------------------
Set gpo = dom.GetObject("container", "CN=Machine,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System")
Set sd = gpo.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
' (A;;LCRPLORC;;;ED)
' A: Access Allowed Ace Type
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' ED: Enterprise Domain Controllers
' Note: Has to be applied to two machines GPOs:
' CN=Machine, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
' CN=Machine, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AceFlags = 0
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
dacl.AddAce ace
sd.DiscretionaryACL = dacl
gpo.Put "ntSecurityDescriptor", Array(sd)
gpo.SetInfo
if err <> 0 then
wscript.echo "Error setting ACE for Enterprise Domain Controllers on machine domain policy, error code is " & err
else
wscript.echo "ACE for Enterprise Domain Controllers on machine domain policy set"
end if
err = 0
Set ace = Nothing
Set gpo = dom.GetObject("container", "CN=Machine,CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System")
Set sd = gpo.Get("ntSecurityDescriptor")
Set dacl = sd.DiscretionaryACL
' (A;;LCRPLORC;;;ED)
' A: Access Allowed Ace Type
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' ED: Enterprise Domain Controllers
' Note: Has to be applied to two machine GPOs:
' CN=Machine, CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies, CN=System, DC=<domain>, ...
' CN=Machine, CN= {6AC1786C-016F-11D2-945F-00C04fB984F9}, CN=Policies, CN=System, DC=<domain>, ...
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AceFlags = 0
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
dacl.AddAce ace
sd.DiscretionaryACL = dacl
gpo.Put "ntSecurityDescriptor", Array(sd)
gpo.SetInfo
if err <> 0 then
wscript.echo "Error setting ACE for Enterprise Domain Controllers on machine DC policy, error code is " & err
else
wscript.echo "ACE for Enterprise Domain Controllers on machine DC policy set"
end if
err = 0
Set ace = Nothing
End function ' Domain function
'==============================================================================
' Forest function
'==============================================================================
Function Forest ( domain )
On error resume next
if domain = "" then
Set RootDSE = GetObject("LDAP://RootDSE")
else
Set RootDSE = GetObject("LDAP://" & domain & "/RootDSE" )
if err <> 0 then
wscript.echo "Error: Unable to bind to domain " & domain & " , Error is: " & err
wscript.quit
end if
end if
'============================================
' OBJECT: Site
'=============================================
' (A;OI;LCRPLORC;;bf967ab3-0de6-11d0-a285-00aa003049e2;ED)
' A: Access Allowed Ace Type
' OI: Flag: Object Inheritance
' Rights:
' LC: DS List Children
' RP: DS Read Property
' LO: DS List Object
' RC: Read Control
' bf967ab3-0de6-11d0-a285-00aa003049e2: Schema GUID for sites
' ED: Enterprise Domain Controllers
Set cfg = GetObject("LDAP://" & RootDSE.Get("configurationNamingContext"))
if err <> 0 then
wscript.echo "Error binding to configuration naming context, error is " & err
wscript.quit
end if
Set site = cfg.GetObject("sitesContainer", "CN=Sites")
if err <> 0 then
wscript.echo "Error binding to sites container, error is " & err
wscript.quit
end if
Set sd = site.Get("ntSecurityDescriptor")
if err <> 0 then
wscript.echo "Error getting security descriptor on sites container, error is " & err
wscript.quit
end if
Set dacl = sd.DiscretionaryACL
Set ace = CreateObject("AccessControlEntry")
ace.Trustee = "NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS"
ace.AccessMask = ADS_RIGHT_READ_CONTROL or ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_ACTRL_DS_LIST or ADS_RIGHT_DS_LIST_OBJECT
ace.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ace.AceFlags = ADS_ACEFLAG_INHERIT_ACE or ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE or ADS_ACEFLAG_INHERIT_ONLY_ACE
ace.Flags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
ace.InheritedObjectType = "{bf967ab3-0de6-11d0-a285-00aa003049e2}"
dacl.AddAce ace
sd.DiscretionaryACL = dacl
site.Put "ntSecurityDescriptor", Array(sd)
site.SetInfo
if err <> 0 then
wscript.echo "Error setting inherited ACE for Enterprise Domain Controllers on Sites container, error code is " & err
else
wscript.echo "Inherited ACE for Enterprise Domain Controllers on Sites container set"
end if
Set ace = Nothing
err = 0
End function