Modifying Security on Active Directory Objects using a script


I was working with a customer this week and we found some user objects in Active Directory had incorrect security settings.  I put together a list of commands for the customer to use.  I thought a few of the FOR command examples below were useful so here you go… 


These command can also be used in a script.  Keep in mind the FOR command syntax changes slightly (FOR /?) when used within a batch file.  


DUMP CNs for all users in an OU 
   DSQUERY USER “ou=test accounts, dc=contoso,dc=local”


Show security for an object in Active Directory
   DSACLS “cn=Jane doe1,ou=test accounts, dc=contoso,dc=local”


Show security for the SELF security principle on an object in Active Directory
   DSACLS “cn=Jane doe1,ou=test accounts, dc=contoso,dc=local” | find /i “self”


Use DSACLS on list of users in a file
   FOR /F “tokens=* usebackq”  %i in (`type users.txt`) DO dsacls %i
         (NOTE ` is a back quote found on same key as ~)


Use DSACLS on output of DSQUERY USERS <OU  DN>
   FOR /F “tokens=* usebackq”  %i in (`dsquery user “ou=test accounts,dc=contoso,dc=local”`) DO dsacls %i
         (NOTE ` is a back quote found on same key as ~)


   FOR /F “tokens=* usebackq”  %i in (`dsquery user “ou=test accounts,dc=contoso,dc=local”`) DO dsacls %i | find /i “self”
         (NOTE ` is a back quote found on same key as ~)


Reset a user to the default permissions as defined by the schema
   DSACLS “cn=jane doe1,ou=test accounts,dc=contoso,dc=local” /S (case sensitive)


Perfrom same task for all users in an OU 
   FOR /F “tokens=* usebackq”  %i in (`dsquery user “ou=test accounts,dc=contoso,dc=local”`) DO dsacls %i /S  (case sensitive)


 


REFERENCE 


How to Use Dsacls.exe in Windows Server 2003 and Windows 2000
http://support.microsoft.com/kb/281146


Dsacls
http://technet.microsoft.com/en-us/library/cc771151(WS.10).aspx