I am using Excel VBA to create AD users from a spreadsheet of names. I can create the users in the correct OU and can add the home drive and profile path to the user object. However, unlike when creating the User from the "AD Users and Computers", the folders themselves and the relevant permissions are not created automatically.
Creating the folders themselves will be no problem, but how can I then assign the correct security permissions to the folders. I do not want to share the folders, just implement NTFS security rights so that the Group Policies work correctly (we redirect the My Documents to the users Home Drive)
Any help in pointing me to where I may get info on setting security would be very helpful.
Many thanks
Creating AD user with profile & home directories
Hot Topic
- Can a field result in a Query be formatted as a hyperlink?
- Collections Class For Each Next
- Add a column to Grantt Chart to MS Project
- worksheet_change
- Intersection IM and Telephone
- Icons In ListBox
- Someone mind helping me with Error 426
- Excel VBA - Worksheet_Change problem?
- Business Scorecard Manager 2005 Beta 2 Setup
- Autosave using VBA after n minutes
Microsoft ISV
- print out to .pdf or calling a macro with parameter
- Length of an Excel Macro?
- Simple question on FrontPage / Internet Explorer
- Add code in control image in time of execution
- Accessing Active Directory trough Access 2002
- Suppress Linked View Unique Record Popup
- Future of VBA (and VBScript)?
- VBA and Excel Deleting Worksheets without user interaction
- cannot save file as
- Open an excel file
Creating AD user with profile & home directories
gmoffitt
Hi,
I'm having a similar problem with changing the NTFS permissions on a folder. I'm using the following code:
1: objSecurity = CreateObject("ADsSecurity")
2: objSecurityDescriptor = objSecurity.GetSecurityDescriptor("FILE://" & strFileName)
3: objDacl = objSecurityDescriptor.DiscretionaryAcl
4: objAce = CreateObject("AccessControlEntry")
5: objAce.Trustee = strTrustee
6: objAce.AccessMask = intPermissions
7: objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE or ADS_ACEFLAG_FILES
8: objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
9: objDacl.AddAce(objAce)
10: objDacl = ReorderDacl(objDacl)
11: objSecurityDescriptor.DiscretionaryAcl = objDacl
12: objSecurity.SetSecurityDescriptor(objSecurityDescriptor)
The code above works perfectly when running as a VB script. However when running the same code inside a VB Express project it fails on line # 11 with the following error:
COMException 0x8002003 DISP_E_MEMBERNOTFOUND
I haven't got a clue what's wrong. Can someone please provide some hints on how to get this working
Thanks in advance,
Erik
mhouston23
YES.
The proposed changes did the trick. The code is running perfectly now.
Thanks again,
Erik
AWJ
Per our support engineer:
Would you please ask our ISV to change the code like that:
1. Add reference of “Active DS Type Library” in COM Tab
2. Change the code with
“CType(objSecurityDescriptor, ActiveDs.SecurityDescriptor).DiscretionaryAcl = objDacl”
Then the code can be run as expected.
-brenda (ISV Buddy Team)
KYNg
Base on my understanding, you need a way to set fold NTFS permission (ACL) by coding. If there’s any misunderstanding, please let me know asap. < xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
1) How to retrieve folder ACL information
2) How to remove a domain account from ACL list
3) How to add a account into ACL list
=========================================================================
'ADS_PATHTYPE_ENUM contsants
'
Const ADS_PATH_FILE = 1
const ADS_PATH_FILESHARE = 2
Const ADS_PATH_REGISTRY = 3
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' ADS_SD_FORMAT_ENUM constants
'
const ADS_SD_FORMAT_IID = 1
const ADS_SD_FORMAT_RAW = 2
const ADS_SD_FORMAT_HEXSTRING = 3
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Define a ADS_RIGHTS_ENUM constants:
'
const ADS_RIGHT_DELETE = &h10000
const ADS_RIGHT_READ_CONTROL = &h20000
const ADS_RIGHT_WRITE_DAC = &h40000
const ADS_RIGHT_WRITE_OWNER = &h80000
const ADS_RIGHT_SYNCHRONIZE = &h100000
const ADS_RIGHT_ACCESS_SYSTEM_SECURITY = &h1000000
const ADS_RIGHT_GENERIC_READ = &h80000000
const ADS_RIGHT_GENERIC_WRITE = &h40000000
const ADS_RIGHT_GENERIC_EXECUTE = &h20000000
const ADS_RIGHT_GENERIC_ALL = &h10000000
const ADS_RIGHT_DS_CREATE_CHILD = &h1
const ADS_RIGHT_DS_DELETE_CHILD = &h2
const ADS_RIGHT_ACTRL_DS_LIST = &h4
const ADS_RIGHT_DS_SELF = &h8
const ADS_RIGHT_DS_READ_PROP = &h10
const ADS_RIGHT_DS_WRITE_PROP = &h20
const ADS_RIGHT_DS_DELETE_TREE = &h40
const ADS_RIGHT_DS_LIST_OBJECT = &h80
const ADS_RIGHT_DS_CONTROL_ACCESS = &h100
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' ADS_ACETYPE_ENUM
' Ace Type definitions
'
const ADS_ACETYPE_ACCESS_ALLOWED = 0
const ADS_ACETYPE_ACCESS_DENIED = &h1
const ADS_ACETYPE_SYSTEM_AUDIT = &h2
const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &h6
const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &h7
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' ADS_ACEFLAGS_ENUM
' Ace Flag Constants
'
const ADS_ACEFLAG_UNKNOWN = &h1
const ADS_ACEFLAG_INHERIT_ACE = &h2
const ADS_ACEFLAG_NO_PROPAGATE_INHERIT_ACE = &h4
const ADS_ACEFLAG_INHERIT_ONLY_ACE = &h8
const ADS_ACEFLAG_INHERITED_ACE = &h10
const ADS_ACEFLAG_VALID_INHERIT_FLAGS = &h1f
const ADS_ACEFLAG_SUCCESSFUL_ACCESS = &h40
const ADS_ACEFLAG_FAILED_ACCESS = &h80
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
'
' Test Script ..
'
dim oSd
dim oSDUtil
set oSDUtil = CreateObject("ADsSecurityUtility")
WScript.Echo "Retrieving security descriptor .... " & NOW()
set oSd = oSDUtil.GetSecurityDescriptor("\\sha-lm-wk\Translate", ADS_PATH_FILE, ADS_SD_FORMAT_IID)
WScript.Echo "DONE...." & NOW()
set oDacl = oSD.DiscretionaryACL
for each ace in oDacl
WScript.Echo ace.trustee
'
' Delete a specific trustee
'
if( ace.trustee = "FAREAST\MINGLIAN" ) then
WScript.Echo "Found MINGLIAN...."
oDacl.RemoveAce ace
end if
next
WScript.Echo "-------------------- AFTER CHECKING ------------------------"
for each ace in oDacl
WScript.Echo ace.trustee
next
'
' Add an ACE for a specific user...
'
'
set oAce = CreateObject("AccessControlEntry")
oAce.Trustee = "FAREAST\tqchen"
oAce.AccessMask = ADS_RIGHT_GENERIC_READ Or ADS_RIGHT_GENERIC_EXECUTE or ADS_RIGHT_GENERIC_WRITE Or ADS_RIGHT_DELETE
oAce.AceFlags = ADS_ACEFLAG_UNKNOWN Or ADS_ACEFLAG_INHERIT_ACE
oAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED
oDacl.AddAce oAce
WSCript.Echo "<<<<<<<<<<<<<<<<<<<< >>>>>>>>>>>>>>>>>>>>>>>>"
oSD.DiscretionaryACL = oDacl
oSDUtil.SetSecurityDescriptor "\\sha-lm-wk\Translate", ADS_PATH_FILE, oSD, ADS_SD_FORMAT_IID
wScript.Echo "DONE"
Microsoft Script Center is always the best resource for us that we can find many sample code there. Please refer to following links:
Script Center: http://www.microsoft.com/technet/scriptcenter/default.mspx
The Script Center Script Repository: http://www.microsoft.com/technet/scriptcenter/scripts/default.mspx
Another approach is the command line tool ‘xcacls.exe’. We can establish a process to execute this tool in our own application. For detail information, please refer to:
HOW TO: Use Xcacls.exe to Modify NTFS Permissions
http://support.microsoft.com/default.aspx scid=kb;en-us;318754
Xcacls Syntax
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/8ec308b8-9229-44bb-acad-707ec1b7f0a9.mspx
Btw, Microsoft has provided a script for modifying ACL. Please follow this link:
How to use Xcacls.vbs to modify NTFS permissions
http://support.microsoft.com/default.aspx scid=kb;en-us;825751
hope this helps!
-brenda (ISV Buddy Team)
--
This posting is provided "AS IS" with no warranties, and confers no rights.