A Complex ACE Example

Example 23-2 shows two further ACEs being created. This time we have included all the constants. This example sets the following ACEs on myOU:

  • No permissions even to see the object for members of DenyGroup.

  • Ability to create, delete, and examine all children of the object for AllowChildGroup.

  • Ability for user Vicky Launders to assume ownership of the Organizational Unit only and not any children.

  • Permission for the user Lee Flight to read and write this OU’s description.

  • Permission for the Chris Heaton account to read and write all users’ passwords

  • Generation of audit messages for failed access by Everyone to delete the object itself.

  • Generation of audit messages for all modifications to Active Directory by Brian Kerr below this Organizational Unit, but not including this Organizational Unit.

Example 23-2. A complex ACE example

'************************************************************************** 'AccessMask constants '************************************************************************** Const ADS_RIGHT_GENERIC_READ = &H80000000 Const ADS_RIGHT_GENERIC_WRITE = &H40000000 Const ADS_RIGHT_GENERIC_EXECUTE = &H20000000 Const ADS_RIGHT_GENERIC_ALL = &H10000000 Const ADS_RIGHT_SYSTEM_SECURITY = &H1000000 Const ADS_RIGHT_SYNCHRONIZE = &H100000 Const ADS_RIGHT_WRITE_OWNER = &H80000 Const ADS_RIGHT_WRITE_DAC = &H40000 Const ADS_RIGHT_READ_CONTROL = &H20000 Const ADS_RIGHT_DELETE = &H10000 Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 Const ADS_RIGHT_DS_LIST_OBJECT = ...

Get Active Directory, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.