1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

AD permissions and Exchange contacts question

Discussion in 'Software' started by hippy, May 11, 2009.

  1. hippy

    hippy Kilobyte Poster

    AD Q:

    On a user under the security tab, in advanced there is the inherit permissions tick box like a normal file share. Some tw_t has been unticking these on some users so they cant access OWA because of permissions!!! Anyone know of a way on mass to reset every user to the 'ticked' choice?

    Exchange Q:

    We have sister and parents companies which consists of 300 contacts which we have to have in a seperate address book in exchange. Anyone know a fast way of doing this? I understand i need to make contact cards in exchange until the cows come home....

    Cheers Ladies and Gents!
  2. Gingerdave

    Gingerdave Megabyte Poster

    Find said helpful person and get them to go though it?:biggrin
    Certifications: A+,MCP, MCDST, VCP5 /VCP-DV 5, MCTS AD+ Net Inf 2008, MCSA 2008
    WIP: MCSA 2012
  3. Triton.Deep

    Triton.Deep Bit Poster

    AD Question:


    That gives you the basic engine, you'd still have to wrap it in some vbscript to have it iterate through all your users. Anytime you write info back to Active Directory, be paranoid about what your doing. Test first and make sure last nights backup was successful :)

    Exchange Question:

    I must be misunderstanding this. It's easy to make additional address lists in exchange (Exchange System Manager\Recipents\All Address Lists, right click New Address List). Can make that address list query based, use just about any user object's field. Is that what you meant? Or....? If you just want those contacts to show up in your users GAL, then just use SimpleSync to pull the other Org's contact's into yours.

    Hope that helps, if it doesn't..give me a little more info and I'll try again. :)

    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure
  4. hippy

    hippy Kilobyte Poster

    Thanks for the AD info and got something to work to tick the inherited option. If anyone else gets this problem:

    Option Explicit
    Dim objCommand, objConnection, strBase, strFilter, strAttributes
    Dim strQuery, objRecordset, strName, strCN

    Const SE_DACL_PROTECTED = &H1000

    'Setup ADO Objects
    Set objCommand = CreateObject("ADODB.Command")
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    objCommand.ActiveConnection = objConnection

    ' Search entire Active Directory.

    ' Change this to an OU/container if desired.
    strBase = "<LDAP://ou=*,dc=*,dc=*,dc=*>"

    ' Search for all user objects in the base.
    strFilter = "(&(objectCategory=person)(objectClass=user))"

    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName"

    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"

    ' Run the query.
    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Cache Results") = False
    Set objRecordset = objCommand.Execute

    ' Enumerate the recordset.
    Do Until objRecordSet.EOF
    strName = objRecordSet.Fields("distinguishedName").Value
    Call AllowInherit(strName)

    Sub AllowInherit(strUserDN)
    ' Subroutine to set bit for "Allow inheritable permissions
    ' from parent to propagate to this object".

    Dim objUser, objNtSecurityDescriptor
    Dim intNtSecurityDescriptorControl

    ' Bind to user object.
    Set objUser = GetObject("LDAP://" & strUserDN)

    ' Retrieve security descriptor object for this object.
    Set objNtSecurityDescriptor = objUser.Get("ntSecurityDescriptor")

    ' Retrieve control settings.
    intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

    ' Check if the bit is set.
    If ((intNtSecurityDescriptorControl And SE_DACL_PROTECTED) <> 0) Then
    ' Toggle the bit for "allow inheritable permissions".
    intNtSecurityDescriptorControl = intNtSecurityDescriptorControl _

    ' Save control settings in the security descriptor object.
    objNtSecurityDescriptor.Control = intNtSecurityDescriptorControl

    ' Save the security descriptor object.
    objUser.Put "ntSecurityDescriptor", objNtSecurityDescriptor

    ' Update the user object.
    End If
    End Sub

    In exchange i think im going to have to manually make all the contact cards or something... *cries* my boss is bad at negotiating with the other companies for something useful it appears......
  5. Triton.Deep

    Triton.Deep Bit Poster

    On the Exchange portion, this really does sound like something that you could automate. Providing that the other companies use Active Directory, it would be simple to write a VBScript that reads their accounts and gathers the information into a text file. Then reverse it and import it into your domain as contacts.

    I'd be happy to help put something together, I like doing that sort of thing.

    Certifications: MCITP EMA, MCTS, MCSE (x3), CCNA, A+,etc
    WIP: MCM for Exchange probably. Not Sure

Share This Page