Using information from TechNet's Using Scripts to Delegate Control of Active Directory and MSDN's Personal-Information Property Set, I have scripted Grant_Personal_Information.vbs to grant all users the right to maintain their own personal information.
To use the Grant_Personal_Information.vbs:
1. Log onto the domain you wish to configure with Domain Admin authority.
2. Open a CMD.EXE window.
3. Switch to the folder that contains the Grant_Personal_Information.vbs script.
4. Type the following command and press Enter:
cscript //nologo Grant_Personal_Information.vbs
Grant_Personal_Information.vbs contains:
On Error Resume Next Dim objConnection, objCommand, objRootDSE, strDNSDomain Dim strFilter, strQuery, objRecordSet, DOM Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_RIGHT_DS_READ_PROP = &H10 Const ADS_RIGHT_DS_WRITE_PROP = &H20 Const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1 Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = &H2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOOBject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("defaultNamingContext") strBase = "<LDAP://" & strDNSDomain & ">" strFilter = "(&(objectCategory=person)(objectClass=user))" strAttributes = "distinguishedName,sAMAccountName" strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" objCommand.CommandText = strQuery objCommand.Properties("Page Size") = 99999 objCommand.Properties("Timeout") = 300 objCommand.Properties("Cache Results") = False Set objRecordSet = objCommand.Execute Set oShell = CreateObject( "WScript.Shell" ) DOM=oShell.ExpandEnvironmentStrings("%USERDOMAIN%") objRecordSet.MoveFirst Do Until objRecordSet.EOF strDN = objRecordSet.Fields("distinguishedName") strSAM = objRecordSet.Fields("sAMAccountName") Set objSdUtil = GetObject("LDAP://" & strDN) Set objSD = objSdUtil.Get("ntSecurityDescriptor") Set objDACL = objSD.DiscretionaryACL Set objAce = CreateObject("AccessControlEntry") objAce.Trustee = DOM & "\" & sAMAccountName objAce.AceFlags = 0 objAce.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objAce.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objAce.ObjectType = "\{77b5b886-944a-11d1-aebd-0000f80367c1\}" objAce.AccessMask = ADS_RIGHT_DS_READ_PROP OR ADS_RIGHT_DS_WRITE_PROP objDacl.AddAce objAce objSD.DiscretionaryAcl = objDacl objSDUtil.Put "ntSecurityDescriptor", Array(objSD) objSDUtil.SetInfo objRecordSet.MoveNext Loop objConnection.Close writefile.close Set objConnection = Nothing Set objCommand = Nothing Set objRootDSE = Nothing
0 comments
Hide comments