Delegate auth via script results in "special" object type

[Mark Smith]

This script should delegate the "Personal Information" property set to all
user objects in the Finance OU.
However, when I look at the permissions in ADUC the "applies to" object type
says "special".

If I use ADUC to set the same ACE, the "applies to" object type says "user
object".

Anyone have any ideas on why this happens?

-0-

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_INHERIT_ACE = &H2

Set objSdUtil = GetObject("LDAP://OU=Finance, DC=fabrikam,DC=Com")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL

Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = "FABRIKAM\kmyer"
objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce.ObjectType = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
objACE.InheritedObjectType = "{BF967ABA-0DE6-11D0-A285-00AA003049E2}"
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl

objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo

 

[Jorge_de_Almeida_Pinto]

This script should delegate the "Personal Information"
property set to all
user objects in the Finance OU.
However, when I look at the permissions in ADUC the "applies
to" object type
says "special".

If I use ADUC to set the same ACE, the "applies to" object
type says "user
object".

Anyone have any ideas on why this happens?

-0-

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_RIGHT_DS_READ_PROP = &H10
Const ADS_RIGHT_DS_WRITE_PROP = &H20
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2
Const ADS_ACEFLAG_INHERIT_ACE = &H2

Set objSdUtil = GetObject("LDAP://OU=Finance,
DC=fabrikam,DC=Com")
Set objSD = objSdUtil.Get("ntSecurityDescriptor")
Set objDACL = objSD.DiscretionaryACL

Set objAce = CreateObject("AccessControlEntry")

objAce.Trustee = "FABRIKAMkmyer"
objAce.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT OR
ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT
objAce.ObjectType = "{77b5b886-944a-11d1-aebd-0000f80367c1}"
objACE.InheritedObjectType =
"{BF967ABA-0DE6-11D0-A285-00AA003049E2}"
objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR
ADS_RIGHT_DS_WRITE_PROP
objDacl.AddAce objAce

objSD.DiscretionaryAcl = objDacl

objSDUtil.Put "ntSecurityDescriptor", Array(objSD)
objSDUtil.SetInfo

Hi,

I’m trying to understand why you are delegating the Personal
Information Property Set to users as this is by default possible. If I
remember correctly, if you look at the ACL from the user object you
will see SELF has the permissions to read and write the personal
information set. This is a default as defined in the schema. This is
true if inheritance is enabled and admincount is not set to 1

 

[Mark Smith]

I'm not trying to delegate it to the user his/herself. I'm trying to
delegate it to a group of administrators.