Share via


Modifying Security on Active Directory Objects using a script

I was working with a customer this week and we found some user objects in Active Directory had incorrect security settings.  I put together a list of commands for the customer to use.  I thought a few of the FOR command examples below were useful so here you go... 

These command can also be used in a script.  Keep in mind the FOR command syntax changes slightly (FOR /?) when used within a batch file.  

DUMP CNs for all users in an OU 
   DSQUERY USER "ou=test accounts, dc=contoso,dc=local"

Show security for an object in Active Directory
   DSACLS "cn=Jane doe1,ou=test accounts, dc=contoso,dc=local"

Show security for the SELF security principle on an object in Active Directory
   DSACLS "cn=Jane doe1,ou=test accounts, dc=contoso,dc=local" | find /i "self"

Use DSACLS on list of users in a file
   FOR /F "tokens=* usebackq"  %i in (`type users.txt`) DO dsacls %i
         (NOTE ` is a back quote found on same key as ~)

Use DSACLS on output of DSQUERY USERS <OU DN>
   FOR /F "tokens=* usebackq"  %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i
         (NOTE ` is a back quote found on same key as ~)

   FOR /F "tokens=* usebackq"  %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i | find /i "self"
         (NOTE ` is a back quote found on same key as ~)

Reset a user to the default permissions as defined by the schema
   DSACLS "cn=jane doe1,ou=test accounts,dc=contoso,dc=local" /S (case sensitive)

Perfrom same task for all users in an OU 
   FOR /F "tokens=* usebackq"  %i in (`dsquery user "ou=test accounts,dc=contoso,dc=local"`) DO dsacls %i /S  (case sensitive)

 

REFERENCE 

How to Use Dsacls.exe in Windows Server 2003 and Windows 2000
https://support.microsoft.com/kb/281146

Dsacls
https://technet.microsoft.com/en-us/library/cc771151(WS.10).aspx

Comments