Microsoft KB Archive/302514

= How to find extended rights that apply to a schema class object by using Visual Basic Script =

Article ID: 302514

Article Last Modified on 4/30/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Active Directory Service Interfaces 2.5

-



This article was previously published under Q302514



SUMMARY
The purpose of this article is to provide a method that employs Visual Basic Script to list all of the extended rights (controlAccessRight objects) whose AppliesTo attribute matches a given SchemaIDGUID of a specified SchemaClass object. The sample in this article provides command line help that demonstrates how to search for all extended rights that apply to the User class.



MORE INFORMATION
Visual Basic Script does not provide a simple method for working with a variant array of bytes, so a method to transform the binary GUID into a string GUID suitable for an LDAP query was needed. The Array Converter sample exposes a method that can convert binary data into its hex string equivalent. This Visual Basic Script takes advantage of this capability and then reorders the hex string into a form that can be used in an LDAP query to search for the matching appliesTo properties.

This conversion takes place in the FlipOctetGuidToTextGuid function provided in the &quot;Visual Basic Script Code&quot; section of this article.

The code follows a very simple algorithm:
 * 1) Use the RootDSE object to obtain information about the defaultNamingContext, schemaNamingContext, and configurationNamingContext.
 * 2) Bind to the specified schema object and retrieve the schemaIDGUID property.
 * 3) Convert the schemaIDGUID into a string and manipulate the bytes.
 * 4) Perform an LDAP dialect query on the extended rights container by searching for the appliesTo property that matches the given schemaIDGUID.
 * 5) Display the results.

Visual Basic Script code
Const ADSI_PROVIDER = &quot;ADSDSOObject&quot; Const ADSI_PROV_NAME = &quot;Active Directory Provider&quot; '<<<<<<<<<<<<<<<<<<<<<< MAIN VBS>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ' 'Requires that ADSEncoder.DLL and ADS.DLL be registered in order for this ' script to execute. ADSEncoder provides a set of interfaces that ' can be used to binary encode the guid string for use in an LDAP query. ' ' ADs.DLL provides some useful string conversion utilities. ' Dim RootDSEStr Dim oEncoder Dim oConverter Dim objpath Dim oSchemaObj Dim oRootDSE Dim flipstring Dim rightsguids ' ' Validate the arguments ' See the DisplayUsage subroutine for details on calling args ' set args = Wscript.Arguments if( args.Count < 4 ) then WScript.Echo &quot;Error: Wrong Number of arguments&quot; call DisplayUsage WScript.quit 0 end if ' userID = args(1) Password = args(2) ldpServer = args(3) ' ' Bind to the rootDSE object for the domain to objtain ' The Default Naming Context ' and ' The Schema Naming Context to build the ADsPath for ' the SchemaClass object ' Set oRootDSE = GetObject(&quot;LDAP://RootDSE&quot;) objpath = &quot;LDAP://cn=&quot; & args(0) & &quot;,&quot; & oRootDSE.Get(&quot;SchemaNamingContext&quot;) Wscript.Echo &quot;Binding to: &quot; & vbCrLf & objPath Set oSchemaObj = GetObject(objpath) RootDSEStr = oRootDSE.Get(&quot;DefaultNamingContext&quot;) ' ' Retrieve the SchemaIDGuid and convert it to a form ' that can be used in an LDAP query. ' Flip the binary GUID around so we can work with it... ' flipstring = FlipOctetGuidToTextGuid(oSchemaObj.Get(&quot;SchemaIDGUID&quot;)) ' ' Find all of the controlAccessRights objects whose AppliesTo attribute ' contains the specified guid and return an array of strings that contain ' the RightsGuid field of each object found that meets the match ' FindRightsGuidsFromSchemaIDGuid flipstring, rightsguids, userID, Password, ldpServer ' ' Display the results ' WScript.Echo &quot;AccessControlRight Objects ( Extended Rights or Property Sets) Found: &quot; For i = LBound(rightsguids) To UBound(rightsguids) WScript.Echo rightsguids(i) Next ' '<<<<<<<<<<<<<<<<<<<<<<< END MAIN VBS >>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ' Function FlipOctetGuidToTextGuid(octet ) Dim cnv Dim rByte Dim guidByte '   ' Due to a limitation in VBS, we need to convert ' the variant array of bytes into its string counter part. ' Then we must flip the bytes around to get them into the ' proper order and format it the string to match ' the GUID string in the AppliesTo attribute of an AccessControlRight ' object '   set cnv = CreateObject(&quot;ADs.ArrayConvert&quot;) tmpGuid = cnv.CvOctetStr2vHexStr(octet) octetStr = Mid(tmpGuid, 7, 2)            ' 0 octetStr = octetStr + Mid(tmpGuid, 5, 2) ' 1 octetStr = octetStr + Mid(tmpGuid, 3, 2) ' 2 octetStr = octetStr + Mid(tmpGuid, 1, 2) ' 3 octetStr = octetStr + Mid(tmpGuid, 11, 2) ' 4 octetStr = octetStr + Mid(tmpGuid, 9, 2) ' 5 octetStr = octetStr + Mid(tmpGuid, 15, 2) ' 6 octetStr = octetStr + Mid(tmpGuid, 13, 2) ' 7 '   ' The remaining segments are the same... '   octetStr = octetStr + Mid(tmpGuid, 17, Len(tmpGuid)) '   ' Add the '-'s    ' guidStr = Mid(octetStr, 1, 8) & &quot;-&quot; & Mid(octetStr, 9, 4) & &quot;-&quot; & Mid(octetStr, 13, 4) & &quot;-&quot; & Mid(octetStr, 17, 4) & &quot;-&quot; & Mid(octetStr, 21, 15) '   ' Return the GUID in the form that it can be used in an LDAP ' query to find matching AppliesTo GUIDs in the Extended-Rights container '   FlipOctetGuidToTextGuid = guidStr End Function ' ' FindRightsGuidFromSchemaIDGuid uses the ADSI ADO provider ' to perform and LDAP dialect query against the Extended-Rights container, ' Searching for all of the AccessControlRight objects whose AppliesTo property contains ' the specified GUID in AppliesToGuid parameter. ' ' The subroutine returns an array of strings containing the Common Name and ' LDAP Display Name for each AccessControlRight object found. ' ' Sub FindRightsGuidsFromSchemaIDGuid(appliesToGuid, RetGuids, userid, password, ldpserver) Dim strQuery Dim varName Dim lErrorNumber Dim strTotal Dim cmd Dim lcnt Dim tmp Dim m_pConn Dim m_recordSet Set cmd = CreateObject(&quot;ADODB.Command&quot;) Set m_pConn = CreateObject(&quot;ADODB.Connection&quot;) m_pConn.Provider = ADSI_PROVIDER m_pConn.Properties(&quot;Encrypt Password&quot;) = False m_pConn.Properties(&quot;User ID&quot;) = userid m_pConn.Properties(&quot;Password&quot;) = password '  ' Set a color for each group '  m_pConn.Open ADSI_PROV_NAME Set cmd.ActiveConnection = m_pConn strQuery = &quot;;(appliesTo=&quot; & appliesToGuid & &quot;);RightsGuid,cn,displayname;subtree&quot; cmd.CommandText = strQuery cmd.Properties(&quot;Page Size&quot;) = 10 Set m_recordSet = cmd.Execute rCount = 0 While (Not m_recordSet.EOF) rCount = rCount + 1 ReDim Preserve RetGuids(rCount) tmpStr = m_recordSet.Fields(&quot;cn&quot;) & &quot; &quot; & Chr(34) & m_recordSet.Fields(&quot;displayName&quot;) & Chr(34) RetGuids(rCount - 1) = tmpStr m_recordSet.MoveNext Wend ReDim Preserve RetGuids(rCount - 1) End Sub ' ' DisplayUsage provides limited help information for the script. ' ' Sub DisplayUsage '  ' This VBS requires 4 arguments in the following order: ' 1. CN for the SchemaClassObject &quot;CN=&quot; prefix ' 2. UserID use for credentials for the ADO query ' 3. Password for the UserID ' 4. NetBios form of the LDAP server to target '  ' ie: props user &quot;Domain\User&quot; &quot;Passward&quot; MyServer '   ' Will try to display all of the AccessControlRight objects whose ' AppliesTo property matches the SchemaIDGuid of the schemaClass object ' user using the credentials of Domain\User to bind, ' to query the LDAP server myServer '      '             10-2-3-4-5-6-7*&quot; WScript.Echo &quot;appliesto.VBS ->&quot; WScript.Echo &quot;Displays a list of AccessControlRight objects whose AppliesTo property&quot; WScript.Echo &quot;Matches the SchemaIDGUID property of the provided SchemaClass object&quot; WScript.Echo WScript.Echo &quot;USAGE: Props Schema_Class_Object UserID Password LDAP_Server&quot; WScript.Echo &quot;WHERE:&quot; WScript.Echo &quot;      Schem_Class_Object - CN of SchemaClass object to find AccessControlRight objects&quot; WScript.Echo &quot;      UserID - User credentials to use for the ADO query&quot; WScript.Echo &quot;      Password - Password for UserID&quot; WScript.Echo &quot;      LDAP_Server - can be the NetBIOS or DNS name for the LDAP server to&quot; WScript.Echo &quot;         target for the LDAP ADO query&quot; & vbCrLf WScript.Echo &quot; Example: To list Extended Rights associated with user class object&quot; WScript.Echo &quot;   using the credentials for MyDomain\JoeB against the AD server&quot; WScript.Echo &quot;   LDAPServer the command line would be:&quot; WScript.Echo &quot;props user MyDomain\JoeB PWD_for_JoeB LDAPServer&quot; WScript.Echo &quot;&quot; WScript.Echo &quot; ADsEncoder.Dll and ADS.DLL must be registered using RegSvr32 in order for&quot; WScript.Echo &quot; this script to execute successfully&quot;

end Sub

