Home > VBScript, Windows 2003, Windows 2008 > Finding users who are not Inheriting Rights

Finding users who are not Inheriting Rights


Got a request from a support company, they have found multiple users who are not inheriting rights from above. These users are random, and he wanted a quick way to find (and therefore fix) the users effected. Screenshot below of the checkbox the users have mysteriously "unchecked";

VBScript0.jpeg

So I created a little script that will check users to see if they are set to inherit or not.

First, create a new folder. Get a list of all users in your AD (or a specific OU) by doing the following;

VBScript1.jpeg

Now, create a VBScript file with the following content;

‘ This code will output all users who are currently NOT inhereting

‘ Security from above.

‘ Writted by Stephen Croft and Chris Stos-Gale from ANS

strtextfile = "objects.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objTextFile = objFSO.OpenTextFile(strtextfile, 1, False, 0)

Const SE_DACL_PROTECTED = 0 ‘ set to 0 to enable inheritance

Do

strobject = objTextFile.ReadLine

strobject = Mid(strobject,2,Len(strobject)-2)

Set objObject = GetObject("LDAP://" & strObject)

Set objntSD = objObject.Get("nTSecurityDescriptor")

intNTSDControl = objNtSD.Control

If objntSD.Control = 39940 Then

WScript.Echo strobject & " Needs Changing"

End if

Loop Until objtextfile.AtEndOfStream = True

And save in the same folder as your objects.txt file that the first part created.

Now, back to command prompt for the following;

VBScript2.jpeg

Where test.vbs is your vbs file you created (obviously).

This will create a output txt file (test.txt in this matter) that is Tab Seperated (for Excel import) of all users who are NOT inheriting rights from above.

To change them to be inheriting, either pick through the list manually, or edit the VBS script slightly as per below;

‘ This code will output all users who are currently NOT inhereting

‘ Security from above.

‘ Writted by Stephen Croft

strtextfile = "objects.txt"

Set objFSO = CreateObject("Scripting.FileSystemObject")

Set objTextFile = objFSO.OpenTextFile(strtextfile, 1, False, 0)

Const SE_DACL_PROTECTED = 0 ‘ set to 0 to enable inheritance

Do

strobject = objTextFile.ReadLine

strobject = Mid(strobject,2,Len(strobject)-2)

Set objObject = GetObject("LDAP://" & strObject)

Set objntSD = objObject.Get("nTSecurityDescriptor")

intNTSDControl = objNtSD.Control

If objntSD.Control = 39940 Then

intNTSDControl = intNTSDControl And SE_DACL_PROTECTED

objntSD.Control = intNTSDControl

objObject.Put "nTSecurityDescriptor", objntSD

objObject.SetInfo

End if

Loop Until objtextfile.AtEndOfStream = True

Obviously be careful with this, and don’t hold me responsible if it breaks anything!!!

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: