Program to document the security of an object in Active Directory. The program enumerates the ACE's (Access Control Entries) within the DACL (Discretionary Access Control
List) of the object's security descriptor.
This program is based in part on a program on pages 425-431 of the book "Windows NT/2000 ADSI Scripting for System Administration", by Thomas Eck, MacMillan Technical Publishing, 2000.
The program has been improved in several ways. First, the program accepts a parameter for the distinguished name of the object to be documented. If you do not supply this parameter, the program prompts for the distinguished name. There is now no need to hard code this value in the script. Second, the program creates a report file based on the Relative Distinguished Name of the object to be documented. Again, there is no longer a need to hard code the file name. Finally, the program now documents whether or not inheritance is enabled. If inheritance is enabled, the object inherits permissions from any parent organizational units.
DACL.txt <<-- Click here to view or download the program
Several situations have been encountered where it is useful to compare permissions. Sometimes we want to compare the permissions assigned to several different objects. At other times, we want to compare the permissions assigned to an object before and after some activity. Comparing the output files from the first script linked above can be tedious. Even if the permissions are identical, the ACE's can be listed in a different order. Such comparisons are much easier if the ACE's are sorted. The following program is identical to the first, but uses a disconnected recordset to sort the ACE's before they are documented in the output file. The ACE's are sorted by Trustee, AccessMask, and ObjectType. This makes comparison much easier. In fact, the command prompt utility FC makes comparing the output files a snap.
DACL2.txt <<-- Click here to view or download the program