Search the Community

Hi, My goal is as follows... Grant "full control" permissions to a computer object in A.D. over a different computer object in A.D. Both objects are in the same A.D. and the same O.U. This code works to grant "full control" permissions to a user object in A.D. over a computer object. However when the "trustee" is changed to a computer object it throws a com error of: Description: "Exception Occurred" Error Number: 80020009 I've been working on this for a few days and getting closer but not quite there yet. Does anyone know what I'm missing to allow this code to work with a computer object instead of a user? Alternatively, does anyone know of a different approach to grant a computer object full permissions over another computer object in A.D.? Thanks in advance for any help offered! ;Script to set A.D. permissions on an object ;Working when setting User permissions on a computer object ;Not working when setting Computer permissions on a computer object Const $USER_ACCOUNT_RESTRICTIONS = "{4C164200-20C0-11D0-A768-00AA006E0529}" Const $DNS_Host_Name_Attributes = "{72e39547-7b18-11d1-adef-00c04fd8d5cd}" Const $VALIDATED_SPN = "{F3A64788-5306-11D1-A9C5-0000F80367C1}" Const $VALIDATED_DNS_HOST_NAME = "{72E39547-7B18-11D1-ADEF-00C04FD8D5CD}" Const $RESET_PASSWORD_GUID = "{00299570-246D-11D0-A768-00AA006E0529}" Const $ADS_RIGHT_DS_CONTROL_ACCESS = 0x100 Const $ADS_RIGHT_DS_WRITE_PROP = 0x20 Const $ADS_RIGHT_DS_READ_PROP = 0x10 Const $ADS_RIGHT_DS_SELF = 0x8 Const $ADS_ACETYPE_ACCESS_ALLOWED = 0x0 Const $ADS_ACETYPE_ACCESS_DENIED = 0x1 Const $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = 0x5 Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6 Const $ADS_ACEFLAG_INHERITED_ACE = 0x10 Const $ADS_ACEFLAG_OBJECT_TYPE_PRESENT = 0x1 Dim $objSecDescriptor, $objDACL, $objComputer Dim $strComputerDN, $strTrustee Dim $objACE1, $objACE2, $objACE3, $objACE4 $oMyError = ObjEvent("AutoIt.Error", "MyErrFunc") ; Install a custom error handler $strInstallerUserName = "<user name>" $strInstallerUserPassword = "<user password>" $strCredDomain = "<user domain>" ;~ Specify the trustee - group NT name in form "MyDomain\GroupNTName". $strTrustee = "<domain name>\<name of object which will have full control>" ;if name of objec is a User it works. If it is a computer it fails ;~ Bind to the computer object with the LDAP provider. $dsoLDAP = ObjGet("LDAP:") $objComputer = $dsoLDAP.OpenDSObject("LDAP://<distinguished name of compter>" , $strCredDomain & "\" & $strInstallerUserName, $strInstallerUserPassword, 1) ;If the above, serverless binding attempt doesnt work you can try the below ;~ $objComputer = $dsoLDAP.OpenDSObject("LDAP://<fqdn of domain controller>/<distinguished name of computer>" , $strCredDomain & "\" & $strInstallerUserName, $strInstallerUserPassword, 1) ;~ The above binding direct targets a domain controller which prevents the need to do a lookup which if it fails will produce a "Specified domain either does not exist or could not be contacted" error ;~ Serverless binding refers to a process in which a client attempts to bind to an Active Directory object without explicitly specifying an Active Directory server in the binding string. This is possible because the LDAP provider relies on the locator services of Windows to find the best domain controller (DC) for the client. However, the client must have an account on the Active Directory domain controller to take advantage of the serverless binding feature, and the DC used by a serverless bind will always be located in the default domain; that is, the domain associated with the current security context of the thread that performs the binding. ;~ Bind to the computer security objects. $objSecDescriptor = $objComputer.Get("ntSecurityDescriptor") ; Create the discretionaryACL object $objDACL = $objSecDescriptor.discretionaryAcl ;~ Create Access control Entry 1... ACE 1 $objACE1 = objCreate("AccessControlEntry") $objACE1.Trustee = $strTrustee ;Assign read and write rights to ACE1 $objACE1.AccessMask = $ADS_RIGHT_DS_WRITE_PROP And $ADS_RIGHT_DS_READ_PROP ;Add additional properties to the ACE $objACE1.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $objACE1.AceFlags = 0 ;Add the ACE properties into the discretionary ACL object $objDACL.AddAce ($objACE1) ;~ Reorder ACEs in DACL. $objSecDescriptor.discretionaryACL = _AD_ReorderACE($objDACL) ;~ Update the Computer object. $objComputer.SetOption (3,4) ;Update the A.D. cache with the new discretionary ACL $objComputer.Put ("ntSecurityDescriptor", $objSecDescriptor) ;Update A.D. with new discretionary ACL $objComputer.SetInfo MsgBox(0,"", "Done") Func _AD_ReorderACE($objDACL) ;~ Reorder ACEs in DACL. Dim $objNewDACL, $objInheritedDACL, $objAllowDACL, $objDenyDACL Dim $objAllowObjectDACL, $objDenyObjectDACL, $objACE $objNewDACL = objcreate("AccessControlList") $objInheritedDACL = objcreate("AccessControlList") $objAllowDACL = objcreate("AccessControlList") $objDenyDACL = objcreate("AccessControlList") $objAllowobjectDACL = objcreate("AccessControlList") $objDenyObjectDACL = objcreate("AccessControlList") For $objACE In $objDACL If (($objACE.AceFlags And $ADS_ACEFLAG_INHERITED_ACE) = $ADS_ACEFLAG_INHERITED_ACE) Then $objInheritedDACL.AddAce ($objACE) Else Select Case $objACE.AceType = $ADS_ACETYPE_ACCESS_ALLOWED $objAllowDACL.AddAce ( $objACE) Case $objACE.AceType = $ADS_ACETYPE_ACCESS_DENIED $objDenyDACL.AddAce ( $objACE) Case $objACE.AceType = $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT $objAllowObjectDACL.AddAce ( $objACE) Case $objACE.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT $objDenyObjectDACL.AddAce ( $objACE) EndSelect EndIf Next For $objACE In $objDenyDACL $objNewDACL.AddAce ( $objACE) Next For $objACE In $objDenyObjectDACL $objNewDACL.AddAce ( $objACE) Next For $objACE In $objAllowDACL $objNewDACL.AddAce ( $objACE) Next For $objACE In $objAllowObjectDACL $objNewDACL.AddAce ( $objACE) Next For $objACE In $objInheritedDACL $objNewDACL.AddAce ( $objACE) Next $objNewDACL.ACLRevision = $objDACL.ACLRevision Return $objNewDACL EndFunc Func MyErrFunc() $g_eventerror = 1 ; something to check for when this function returns Msgbox(0,"AutoItCOM Test","We intercepted a COM Error !" & @CRLF & @CRLF & _ "err.description is: " & @TAB & $oMyError.description & @CRLF & _ "err.windescription:" & @TAB & $oMyError.windescription & @CRLF & _ "err.number is: " & @TAB & hex($oMyError.number,8) & @CRLF & _ "err.lastdllerror is: " & @TAB & $oMyError.lastdllerror & @CRLF & _ "err.scriptline is: " & @TAB & $oMyError.scriptline & @CRLF & _ "err.source is: " & @TAB & $oMyError.source & @CRLF & _ "err.helpfile is: " & @TAB & $oMyError.helpfile & @CRLF & _ "err.helpcontext is: " & @TAB & $oMyError.helpcontext _ ) Local $err = $oMyError.number If $err = 0 Then $err = -1 $g_eventerror = $err ; to check for after this function returns Endfunc