枚举用户帐户的审核权限
描述
返回 MyerKen Active Directory 用户帐户的审核权限。
有关在这段代码中使用的用户帐户的更多信息,请单击 此处。
支持平台
Windows XP | 是 |
Windows Server 2003 | 是 |
Windows 2000 | 是,需要安装 WSH 5.6。 |
Windows NT 4.0 | |
Windows 98 |
脚本代码
Const SE_SACL_PROTECTED = &H2000
Const ADS_SECURITY_INFO_OWNER = &H1
Const ADS_SECURITY_INFO_GROUP = &H2
Const ADS_OPTION_SECURITY_MASK =&H3
Const ADS_SECURITY_INFO_DACL = &H4
Const ADS_SECURITY_INFO_SACL = &H8
Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objUser.SetOption ADS_OPTION_SECURITY_MASK, ADS_
SECURITY_INFO_OWNER _
Or ADS_SECURITY_INFO_GROUP Or ADS_SECURITY_INFO_DACL _
Or ADS_SECURITY_INFO_SACL
Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control
WScript.Echo "Auditing Tab"
WScript.StdOut.WriteLine "Allow inheritable auditing entries from" & _
"the parent to "
WScript.StdOut.Write "propogate to this object and all child objects "
If (intNtSecurityDescriptorControl And SE_SACL_PROTECTED) Then
Wscript.Echo "is disabled."
Else
WScript.Echo "is enabled."
End If
WScript.Echo VbCr
Set objSacl = objNtSecurityDescriptor.SystemAcl
DisplayAceInformation objSacl, "SACL"
Sub DisplayAceInformation(SecurityStructure, strType)
Const ADS_ACETYPE_SYSTEM_AUDIT = &H2
Const ADS_ACETYPE_SYSTEM_AUDIT_OBJECT = &H7
intAceCount = 0
For Each objAce In SecurityStructure
strTrustee = Mid(objAce.Trustee,1,12)
If StrComp(strTrustee, "NT AUTHORITY", 1) <> 0 Then
intAceCount = intAceCount + 1
WScript.Echo strType & " permission entry: " & intAceCount
WScript.Echo "Name: " & objAce.Trustee
intAceType = objAce.AceType
WScript.Echo "ACETYPE IS: " & intAceType
If (intAceType = ADS_ACETYPE_SYSTEM_AUDIT or _
intAceType = ADS_ACETYPE_SYSTEM_AUDIT_OBJECT) Then
WScript.StdOut.Write "Type: Success or Failure Audit"
Else
WScript.StdOut.Write "Audit Type Unknown."
End If
ReadBitsInAccessMask(objAce.AccessMask)
WScript.Echo VbCr
End If
Next
End Sub
Sub ReadBitsInAccessMask(AccessMask)
Const ADS_RIGHT_DELETE = &H10000
Const ADS_RIGHT_READ_CONTROL = &H20000
Const ADS_RIGHT_WRITE_DAC = &H40000
Const ADS_RIGHT_WRITE_OWNER = &H80000
Const ADS_RIGHT_DS_CREATE_CHILD = &H1
Const ADS_RIGHT_DS_DELETE_CHILD = &H2
Const ADS_RIGHT_ACTRL_DS_LIST = &H4
Const ADS_RIGHT_DS_SELF = &H8
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_RIGHT_DS_DELETE_TREE = &H40
Const ADS_RIGHT_DS_LIST_OBJECT = &H80
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
WScript.Echo VbCrLf & "Standard Access Rights"
If (AccessMask And ADS_RIGHT_DELETE) Then _
WScript.Echo vbTab & "-Delete an object."
If (AccessMask And ADS_RIGHT_READ_CONTROL) Then _
WScript.Echo vbTab & "-Read permissions."
If (AccessMask And ADS_RIGHT_WRITE_DAC) Then _
WScript.Echo vbTab & "-Write permissions."
If (AccessMask And ADS_RIGHT_WRITE_OWNER) Then _
WScript.Echo vbTab & "-Modify owner."
WScript.Echo VbCrLf & "Directory Service Specific Access Rights"
If (AccessMask And ADS_RIGHT_DS_CREATE_CHILD) Then _
WScript.Echo vbTab & "-Create child objects."
If (AccessMask And ADS_RIGHT_DS_DELETE_CHILD) Then _
WScript.Echo vbTab & "-Delete child objects."
If (AccessMask And ADS_RIGHT_ACTRL_DS_LIST) Then _
WScript.Echo vbTab & "-Enumerate an object."
If (AccessMask And ADS_RIGHT_DS_READ_PROP) Then _
WScript.Echo vbTab & "-Read the properties of an object."
If (AccessMask And ADS_RIGHT_DS_WRITE_PROP) Then _
WScript.Echo vbTab & "-Write the properties of an object."
If (AccessMask And ADS_RIGHT_DS_DELETE_TREE) Then _
WScript.Echo vbTab & "-Delete a tree of objects"
If (AccessMask And ADS_RIGHT_DS_LIST_OBJECT) Then _
WScript.Echo vbTab & "-List a tree of objects."
WScript.Echo VbCrLf & "Control Access Rights"
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) + _
(AccessMask And ADS_RIGHT_DS_SELF) = 0 Then
WScript.Echo "-None"
Else
If (AccessMask And ADS_RIGHT_DS_CONTROL_ACCESS) Then _
WScript.Echo vbTab & "-Extended access rights."
If (AccessMask And ADS_RIGHT_DS_SELF) Then
WScript.Echo vbTab & "-Active Directory must validate
a property "
WScript.Echo vbTab & " write operation beyond the
schema definition "
WScript.Echo vbTab & " for the attribute."
End If
End If
End Sub
有关在线支持,可以加入 msnews.microsoft.com 新闻服务器上的microsoft.public.windows.server.scripting 社区。要提供反馈或者报告脚本示例或“脚本指南”中的错误,请与 Microsoft TechNet联系。
免责声明
以上示例脚本不会获得由任何Microsoft标准支持计划或服务项目所提供的支持。这些示例脚本在提交时并未附带任何形式的保证承诺。不仅如此,Microsoft公司还不加限定条件地针对所有默许保证责任加以进一步否认,这其中便包括出于特定目的而针对适销性或适用性所承担的默许保证责任。因使用或执行上述示例脚本及文档资料而导致的全部风险均由读者自行承担。在任何情况下,Microsoft公司及其创作人员、亦或与上述脚本的创意、编制及提交有关的任何人员均无须针对因使用或无法使用上述示例脚本或文档资料所导致的任何损害(其中包括,企业利润损失、经营中断、业务信息丢失及其它经济损失)承担责任;即使Microsoft公司已被告知造成这种损害可能性,上述免责条款依然适用。
