How To Find Extended Rights that Apply to a Schema Class Object Using Visual Basic Script (302514)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Active Directory Services Interface, System Component
This article was previously published under Q302514

SUMMARY

The purpose of this article is to provide a method that employs Visual Basic Script to list all of the extended rights (controlAccessRight objects) whose AppliesTo attribute matches a given SchemaIDGUID of a specified SchemaClass object. The sample in this article provides command line help that demonstrates how to search for all extended rights that apply to the User class.

MORE INFORMATION

Visual Basic Script does not provide a simple method for working with a variant array of bytes, so a method to transform the binary GUID into a string GUID suitable for an LDAP query was needed. The Array Converter sample exposes a method that can convert binary data into its hex string equivalent. This Visual Basic Script takes advantage of this capability and then reorders the hex string into a form that can be used in an LDAP query to search for the matching appliesTo properties.

This conversion takes place in the FlipOctetGuidToTextGuid function provided in the "Visual Basic Script Code" section of this article.

The code follows a very simple algorithm:
  1. Use the RootDSE object to obtain information about the defaultNamingContext, schemaNamingContext, and configurationNamingContext.
  2. Bind to the specified schema object and retrieve the schemaIDGUID property.
  3. Convert the schemaIDGUID into a string and manipulate the bytes.
  4. Perform an LDAP dialect query on the extended rights container by searching for the appliesTo property that matches the given schemaIDGUID.
  5. Display the results.

Visual Basic Script Code

Const ADSI_PROVIDER = "ADSDSOObject"
Const ADSI_PROV_NAME = "Active Directory Provider"
'<<<<<<<<<<<<<<<<<<<<<< MAIN VBS>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'
'Requires that ADSEncoder.DLL and ADS.DLL be registered in order for this
' script to execute.  ADSEncoder provides a set of interfaces that 
' can be used to binary encode the guid string for use in an LDAP query.
'
' ADs.DLL provides some useful string conversion utilities.
'
  Dim RootDSEStr
  Dim oEncoder 
  Dim oConverter 
  Dim objpath
  Dim oSchemaObj
  Dim oRootDSE 
  Dim flipstring 
  Dim rightsguids() 
  '
  ' Validate the arguments
  '  See the DisplayUsage subroutine for details on calling args
  '
  set args = Wscript.Arguments
  if( args.Count < 4 ) then
    WScript.Echo "Error: Wrong Number of arguments"
    call DisplayUsage( )
    WScript.quit 0  
  end if
  '
  userID = args(1)
  Password = args(2)
  ldpServer = args(3)
  '
  ' Bind to the rootDSE object for the domain to objtain
  ' The Default Naming Context
  ' and
  ' The Schema Naming Context to build the ADsPath for
  ' the SchemaClass object
  '
  Set oRootDSE = GetObject("LDAP://RootDSE")
  objpath = "LDAP://cn=" & args(0) & "," & oRootDSE.Get("SchemaNamingContext")
  Wscript.Echo "Binding to: " & vbCrLf & objPath
  Set oSchemaObj = GetObject(objpath)
  RootDSEStr = oRootDSE.Get("DefaultNamingContext")
  '
  ' Retrieve the SchemaIDGuid and convert it to a form
  ' that can be used in an LDAP query.
  ' Flip the binary GUID around so we can work with it...
  '
  flipstring = FlipOctetGuidToTextGuid(oSchemaObj.Get("SchemaIDGUID"))
  '
  ' Find all of the controlAccessRights objects whose AppliesTo attribute
  ' contains the specified guid and return an array of strings that contain
  ' the RightsGuid field of each object found that meets the match
  '
  FindRightsGuidsFromSchemaIDGuid flipstring, rightsguids, userID, Password, ldpServer
  '
  ' Display the results
  '
  WScript.Echo "AccessControlRight Objects ( Extended Rights or Property Sets) Found: "
  For i = LBound(rightsguids) To UBound(rightsguids)
    WScript.Echo rightsguids(i)
  Next 
'
'<<<<<<<<<<<<<<<<<<<<<<< END MAIN VBS >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
'
Function FlipOctetGuidToTextGuid(octet ) 
    Dim cnv
    Dim rByte()
    Dim guidByte()
	'
	' Due to a limitation in VBS, we need to convert
	' the variant array of bytes into its string counter part.
	' Then we must flip the bytes around to get them into the
	' proper order and format it the string to match 
	' the GUID string in the AppliesTo attribute of an AccessControlRight
	' object
	'
    set cnv = CreateObject("ADs.ArrayConvert")
    tmpGuid = cnv.CvOctetStr2vHexStr(octet)
    octetStr = Mid(tmpGuid, 7, 2)             ' 0
    octetStr = octetStr + Mid(tmpGuid, 5, 2)  ' 1
    octetStr = octetStr + Mid(tmpGuid, 3, 2)  ' 2
    octetStr = octetStr + Mid(tmpGuid, 1, 2)  ' 3
    octetStr = octetStr + Mid(tmpGuid, 11, 2) ' 4
    octetStr = octetStr + Mid(tmpGuid, 9, 2)  ' 5
    octetStr = octetStr + Mid(tmpGuid, 15, 2) ' 6
    octetStr = octetStr + Mid(tmpGuid, 13, 2) ' 7
    '
    ' The remaining segments are the same...
    '
	octetStr = octetStr + Mid(tmpGuid, 17, Len(tmpGuid))
    '
    ' Add the '-'s
    '
    guidStr = Mid(octetStr, 1, 8) & "-" & Mid(octetStr, 9, 4) & "-" & Mid(octetStr, 13, 4) & "-" & Mid(octetStr, 17, 4) & "-" & Mid(octetStr, 21, 15)
	'
    ' Return the GUID in the form that it can be used in an LDAP 
	' query to find matching AppliesTo GUIDs in the Extended-Rights container
    '
    FlipOctetGuidToTextGuid = guidStr
End Function
'
' FindRightsGuidFromSchemaIDGuid uses the ADSI ADO provider
' to perform and LDAP dialect query against the Extended-Rights container,
' Searching for all of the AccessControlRight objects whose AppliesTo property contains
' the specified GUID in AppliesToGuid parameter.
'
' The subroutine returns an array of strings containing the Common Name and 
' LDAP Display Name for each AccessControlRight object found.
'
'
Sub FindRightsGuidsFromSchemaIDGuid(appliesToGuid, RetGuids, userid, password, ldpserver)
   Dim strQuery
   Dim varName 
   Dim lErrorNumber 
   Dim strTotal
   Dim cmd 
   Dim lcnt
   Dim tmp
   Dim m_pConn
   Dim m_recordSet 
   Set cmd = CreateObject("ADODB.Command")
   Set m_pConn = CreateObject("ADODB.Connection")
   m_pConn.Provider = ADSI_PROVIDER
   m_pConn.Properties("Encrypt Password") = False
   m_pConn.Properties("User ID") = userid
   m_pConn.Properties("Password") = password
   '
   ' Set a color for each group
   '
   m_pConn.Open ADSI_PROV_NAME
   Set cmd.ActiveConnection = m_pConn
   strQuery = "<LDAP://" & ldpserver & "/CN=Extended-Rights,CN=Configuration," & RootDSEStr & ">;(appliesTo=" & appliesToGuid & ");RightsGuid,cn,displayname;subtree"
   cmd.CommandText = strQuery
   cmd.Properties("Page Size") = 10
   Set m_recordSet = cmd.Execute
   rCount = 0
   While (Not m_recordSet.EOF)
      rCount = rCount + 1
      ReDim Preserve RetGuids(rCount)
      tmpStr = m_recordSet.Fields("cn") & " " & Chr(34) & m_recordSet.Fields("displayName") & Chr(34)
      RetGuids(rCount - 1) = tmpStr
      m_recordSet.MoveNext
   Wend
   ReDim Preserve RetGuids(rCount - 1)
End Sub
'
' DisplayUsage provides limited help information for the script.
'
'
Sub DisplayUsage (  )
   '
   ' This VBS requires 4 arguments in the following order:
   '  1. CN for the SchemaClassObject "CN=" prefix
   '  2. UserID use for credentials for the ADO query
   '  3. Password for the UserID
   '  4. NetBios form of the LDAP server to target
   '
   ' ie: props user "Domain\User" "Passward" MyServer
   ' 
   ' Will try to display all of the AccessControlRight objects whose
   ' AppliesTo property matches the SchemaIDGuid of the schemaClass object
   ' user using the credentials of Domain\User to bind,
   ' to query the LDAP server myServer
   '    
   '             1--------0---------2---------3---------4---------5---------6---------7--------*"
   WScript.Echo "appliesto.VBS ->"
   WScript.Echo "Displays a list of AccessControlRight objects whose AppliesTo property"
   WScript.Echo "Matches the SchemaIDGUID property of the provided SchemaClass object"
   WScript.Echo
   WScript.Echo "USAGE: Props Schema_Class_Object UserID Password LDAP_Server"
   WScript.Echo "WHERE:"
   WScript.Echo "       Schem_Class_Object - CN of SchemaClass object to find AccessControlRight objects"
   WScript.Echo "       UserID - User credentials to use for the ADO query"
   WScript.Echo "       Password - Password for UserID"
   WScript.Echo "       LDAP_Server - can be the NetBIOS or DNS name for the LDAP server to"
   WScript.Echo "          target for the LDAP ADO query" & vbCrLf
   WScript.Echo " Example: To list Extended Rights associated with user class object"
   WScript.Echo "    using the credentials for MyDomain\JoeB against the AD server"
   WScript.Echo "    LDAPServer the command line would be:"
   WScript.Echo "props user MyDomain\JoeB PWD_for_JoeB LDAPServer"
   WScript.Echo "<--------------------IMPORTANT NOTE :-------------------->"
   WScript.Echo " ADsEncoder.Dll and ADS.DLL must be registered using RegSvr32 in order for"
   WScript.Echo " this script to execute successfully"

end Sub

REFERENCES

For additional information on ADS.dll and ArrayConvert.exe, click the article number below to view the article in the Microsoft Knowledge Base:

250344 SAMPLE: ARRAYCONVERT.EXE Variant Conversion Functions

For more information on controlAccessRight objects, see the following MSDN Library topics:

Creating a Control Access Right
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/creating_a_control_access_right.asp

Control Access Rights
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/control_access_rights.asp

The ADsEncoder.dll is part of the ADSI resource kit that is found in the Platform SDK. The Platform SDK can be downloaded from the Platform SDK Update Center:

http://www.microsoft.com/msdownload/platformsdk/sdkupdate/

Modification Type:MinorLast Reviewed:7/1/2004
Keywords:kbDSWADSI2003Swept kbhowto KB302514 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.