Modifying Security on Active Directory Objects using a script
I was working with a customer this week and we found some user objects in Active Directory had incorrect security settings. I put together a list of commands for the customer to use. I thought a few of the FOR command examples below were useful so here you go...
These command can also be used in a script. Keep in mind the FOR command syntax changes slightly (FOR /?) when used within a batch file.
DUMP CNs for all users in an OU
DSQUERY USER "ou=test accounts, dc=contoso,dc=local"
Show security for an object in Active Directory
DSACLS "cn=Jane doe1,ou=test accounts, dc=contoso,dc=local"
Show security for the SELF security principle on an object in Active Directory
DSACLS "cn=Jane doe1,ou=test accounts, dc=contoso,dc=local" | find /i "self"
Use DSACLS on list of users in a file
FOR /F "tokens=* usebackq" %i in (`type users.txt`) DO dsacls %i
(NOTE ` is a back quote found on same key as ~)
Use DSACLS on output of DSQUERY USERS <OU DN>
FOR /F "tokens=* usebackq" %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i
(NOTE ` is a back quote found on same key as ~)
FOR /F "tokens=* usebackq" %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i | find /i "self"
(NOTE ` is a back quote found on same key as ~)
Reset a user to the default permissions as defined by the schema
DSACLS "cn=jane doe1,ou=test accounts,dc=contoso,dc=local" /S (case sensitive)
Perfrom same task for all users in an OU
FOR /F "tokens=* usebackq" %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i /S (case sensitive)
REFERENCE
How to Use Dsacls.exe in Windows Server 2003 and Windows 2000
https://support.microsoft.com/kb/281146
Dsacls
https://technet.microsoft.com/en-us/library/cc771151(WS.10).aspx
Comments
- Anonymous
December 14, 2007
PingBack from http://msdnrss.thecoderblogs.com/2007/12/14/modifying-security-on-active-directory-objects-using-a-script/