Microsoft KB Archive/331947

= How to programmatically apply access permissions for Windows Server 2003 built-in groups in the Active Directory directory service =

Article ID: 331947

Article Last Modified on 12/15/2004

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

-



This article was previously published under Q331947



INTRODUCTION
Microsoft Windows Server 2003 introduced several built-in groups to simplify administration of access permissions when the domain is in high-security mode.

By default, the built-in groups have the correct access permissions to the appropriate objects in a new installation of Windows Server 2003 domains. However, in mixed-mode domains and in upgraded domains, some access permissions that were previously selected may not be changed. This issue occurs when a Windows Server 2003 domain controller is added to a Windows 2000 domain. This issue also occurs when a Windows 2000 domain is upgraded to a Windows Server 2003 domain.



MORE INFORMATION
The following scripts demonstrate how to grant access permissions to the Token-Groups-Global-And-Universal (TGGAU) attribute for &quot;BUILT-IN\Windows Authentication Access Group.&quot;

Visual Basic Script Code (Modifyacl.vbs)
On Error Resume Next

const ADS_RIGHT_DS_READ_PROP = &H10 const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 const ADS_ACEFLAG_INHERIT_ACE = &H2 const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1 ' Token-Groups-Global-And-Universal const TOKEN_GROUPS_PROPERTY_GUID = &quot;{46a9b11d-60ae-405a-b7e8-ff8a58d456d2}&quot; ' BUILTIN\Windows Authentication Access Group const WINDOWS_AUTH_ACCESS_SID = &quot;S-1-5-32-560&quot;

Set oArgs = WScript.Arguments if oArgs.Count <> 1 then WScript.Echo &quot;Usage: modifyacl.vbs &quot; WScript.Echo &quot;Ex:   modifyacl.vbs OU=test,DC=domain,DC=com&quot; WScript.Quit(1) end if

WScript.Echo &quot;Trying to bind to the object &quot; & oArgs(0) Set oTarget = GetObject( &quot;LDAP://&quot; & oArgs(0) )

If (Err.Number <>0 ) Then WScript.Echo &quot;Error 0x&quot; + CStr(Hex(Err.Number)) + &quot; Occurred trying to bind to the object &quot; Err.Clear End If

WScript.Echo &quot;Reading security descriptor&quot; Set oSD = oTarget.Get( &quot;ntSecurityDescriptor&quot; ) Set oACL = oSD.DiscretionaryAcl

If (Err.Number<>0 ) Then WScript.Echo &quot;Error 0x&quot; + CStr(Hex(Err.Number)) + &quot; Occurred reading the security descriptor&quot; Err.Clear End If

WScript.Echo &quot;Creating new ACE and setting properties&quot; Set oACE = CreateObject( &quot;AccessControlEntry&quot; )

If (Err.Number<>0 ) Then WScript.Echo &quot;Error 0x&quot; + CStr(Hex(Err.Number)) + &quot; Occurred creating new ACE&quot; Err.Clear End If

' Right to read properties of the object that is a specific property in this case oACE.AccessMask = ADS_RIGHT_DS_READ_PROP ' Grants access to the object or to the property in particular oACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT ' Child objects inherit this access-control entry. oACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE ' Token-Groups-Global-And-Universal oACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT oACE.ObjectType = TOKEN_GROUPS_PROPERTY_GUID ' BUILTIN\Windows Authentication Access Group oACE.Trustee = WINDOWS_AUTH_ACCESS_SID

WScript.Echo &quot;Applying the modified security descriptor to the object&quot; oACL.AddAce oACE oSD.DiscretionaryAcl = oAcl oTarget.Put &quot;ntSecurityDescriptor&quot;, oSD oTarget.SetInfo

If (Err.Number<>0 ) Then WScript.Echo &quot;Error 0x&quot; + CStr(Hex(Err.Number)) + &quot; Occurred applying modified security descriptor to the object&quot; Err.Clear Else WScript.Echo &quot;Done!&quot; End If

