How to programmatically apply access permissions for Windows Server 2003 built-in groups in the Active Directory directory service (331947)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
This article was previously published under Q331947

INTRODUCTION

Microsoft Windows Server 2003 introduced several built-in groups to simplify administration of access permissions when the domain is in high-security mode.

By default, the built-in groups have the correct access permissions to the appropriate objects in a new installation of Windows Server 2003 domains. However, in mixed-mode domains and in upgraded domains, some access permissions that were previously selected may not be changed. This issue occurs when a Windows Server 2003 domain controller is added to a Windows 2000 domain. This issue also occurs when a Windows 2000 domain is upgraded to a Windows Server 2003 domain.

MORE INFORMATION

The following scripts demonstrate how to grant access permissions to the Token-Groups-Global-And-Universal (TGGAU) attribute for "BUILT-IN\Windows Authentication Access Group."

Visual Basic Script Code (Modifyacl.vbs)

On Error Resume Next

const ADS_RIGHT_DS_READ_PROP = &H10
const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
const ADS_ACEFLAG_INHERIT_ACE = &H2
const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
' Token-Groups-Global-And-Universal
const TOKEN_GROUPS_PROPERTY_GUID = "{46a9b11d-60ae-405a-b7e8-ff8a58d456d2}"
' BUILTIN\Windows Authentication Access Group
const WINDOWS_AUTH_ACCESS_SID = "S-1-5-32-560"


Set oArgs = WScript.Arguments
if oArgs.Count <> 1 then
   WScript.Echo "Usage: modifyacl.vbs <DN of the object to modify>"
   WScript.Echo "Ex:    modifyacl.vbs OU=test,DC=domain,DC=com"
   WScript.Quit(1)
end if

WScript.Echo "Trying to bind to the object " & oArgs(0)
Set oTarget = GetObject( "LDAP://" & oArgs(0) )

If (Err.Number <>0 ) Then
	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred trying to bind to the object " 
	Err.Clear
End If

WScript.Echo "Reading security descriptor"
Set oSD = oTarget.Get( "ntSecurityDescriptor" )
Set oACL = oSD.DiscretionaryAcl

If (Err.Number<>0 ) Then
	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred reading the security descriptor"	
	Err.Clear
End If

WScript.Echo "Creating new ACE and setting properties"
Set oACE = CreateObject( "AccessControlEntry" )

If (Err.Number<>0 ) Then
	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred creating new ACE"	
	Err.Clear
End If

' Right to read properties of the object that is a specific property in this case
oACE.AccessMask = ADS_RIGHT_DS_READ_PROP
' Grants access to the object or to the property in particular
oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
' Child objects inherit this access-control entry.
oACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
' Token-Groups-Global-And-Universal
oACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
oACE.ObjectType = TOKEN_GROUPS_PROPERTY_GUID
' BUILTIN\Windows Authentication Access Group
oACE.Trustee = WINDOWS_AUTH_ACCESS_SID

WScript.Echo "Applying the modified security descriptor to the object"
oACL.AddAce oACE
oSD.DiscretionaryAcl = oAcl
oTarget.Put "ntSecurityDescriptor", oSD
oTarget.SetInfo

If (Err.Number<>0 ) Then
	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred applying modified security descriptor to the object"	
	Err.Clear
Else	
	WScript.Echo "Done!"
End If

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

331951 Some applications and APIs require access to authorization information on account objects

Modification Type:MajorLast Reviewed:12/15/2004
Keywords:kbinfo kbProgramming kbScript kbhowto KB331947 kbAudITPRO kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.