| Author | Messages | |
rkingsla@xxxx.yyy
 | | 09/03/2005 6:51 AM |
| blanks and dupes here....
-r
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Thursday, September 01, 2005 10:35 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions
Michael Smith's last post with this title showed up as
blank for me.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean
WellsSent: Thursday, September 01, 2005 9:28 PMTo: Send -
AD mailing listSubject: RE: [ActiveDir] Active Directory
Permissions
Is
anyone else receiving blank posts, per the enclosed, or occasional
dupes?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Michael B.
SmithSent: Thursday, September 01, 2005 8:52 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxCc:
Sakari.Kouti@xxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions | | | |
| AD000001012
Posts:0
| | 09/04/2005 11:19 AM |
| Hi All,
In case anyone is wondering: Several people were interested
in the script that dumps all ACLs of a domain, so I'll upload one on www.kouti.com. However, I couldn't resist the
temptation to enhance my old script a little, so I haven't yet uploaded
it.
Another reason for the delay is that we got our third child
a couple of days ago. Those of you that have read our book know it's about time,
because the first two children were born on 2000 and 2003, and now R2 is about
to be launched.
So, probably a couple of more days until the
upload.
Yours, Sakari | | | |
| Tony
Posts:49
| | 09/05/2005 9:12 AM |
| You guys are just special :-) I've singled you out
just to make your lives a misery.
On a marginally more serious note, I think we all saw
Michael Smith's email as a blank. Regarding the
duplicate emails, the issue is still open and unresolved. I'll chase it
with my provider (again). Apologies for the ongoing
hassle.
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rick
KingslanSent: Sunday, 4 September 2005 6:50 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions
blanks and dupes here....
-r
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Thursday, September 01, 2005 10:35 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions
Michael Smith's last post with this title showed up as
blank for me.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean
WellsSent: Thursday, September 01, 2005 9:28 PMTo: Send -
AD mailing listSubject: RE: [ActiveDir] Active Directory
Permissions
Is
anyone else receiving blank posts, per the enclosed, or occasional
dupes?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Michael B.
SmithSent: Thursday, September 01, 2005 8:52 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxCc:
Sakari.Kouti@xxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions | | | |
| Simon.Cooper@xxxx.yyy
| | 09/05/2005 9:15 AM |
| Hi Tony,
Can u please send me the link to
unsubscribe.
Cheers,
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tony
MurraySent: 05 September 2005 10:10To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions
You guys are just special :-) I've singled you out
just to make your lives a misery.
On a marginally more serious note, I think we all saw
Michael Smith's email as a blank. Regarding the
duplicate emails, the issue is still open and unresolved. I'll chase it
with my provider (again). Apologies for the ongoing
hassle.
Tony
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Rick
KingslanSent: Sunday, 4 September 2005 6:50 a.m.To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions
blanks and dupes here....
-r
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Thursday, September 01, 2005 10:35 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions
Michael Smith's last post with this title showed up as
blank for me.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Dean
WellsSent: Thursday, September 01, 2005 9:28 PMTo: Send -
AD mailing listSubject: RE: [ActiveDir] Active Directory
Permissions
Is
anyone else receiving blank posts, per the enclosed, or occasional
dupes?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Michael B.
SmithSent: Thursday, September 01, 2005 8:52 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxCc:
Sakari.Kouti@xxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions | | | |
| AD000001012
Posts:0
| | 09/08/2005 10:22 AM |
| Hi All,
All software projects take twice the estimated schedule, so
not on Tuesday, but now on Thursday there is finally the script to dump all AD
ACEs at the end of the page http://www.kouti.com/scripts.htm
A few comments:
- As always, you would get most of the results using just
end-user permissions
- The script works fastest, when run on a DC. They don't
often have Excel installed, so I modified the script to create an HTML file
instead of direct Excel dumping. You can copy this HTML file to a workstation,
right-click the table in IE and select Export to Microsoft
Excel.
- You can specify the root of dumping in an
inputbox.
- By modifying three lines in the beginning of the script,
you can specify:
- Whether to scan only OUs or also other
object classes - Whether to scan only normal-view objects
or also advanced-view objects - Whether to display all
ACEs or only non-inherited
Please
let me know if you find bugs or have minor :-) feature suggestions. Note that
the script is not bullet proof. For example, it breaks, if you try to run it as
a standalone user, with no access to AD (no graceful exit, that
is).
Yours,
Sakari
PS.
Thanks for the congrats on my third child. | | | |
| listmail
Posts:429
| | 09/09/2005 1:12 AM |
| Nice tool Sakari.
Jorge, I will tackle the one point
"* For inherited permissions... "inherited from" is missing"
Inherited from isn't a field in the DACL. If someone puts that in a report,
it is because they specifically looked at the entire hierarchy and worked
out where the specific inherited ACE came from. It requires additional logic
of the script and disallows it from being written in a simple object by
object, sd by sd, DACL by DACL, ACE by ACE flow down and forget method. You
have to add lookup tables structures or set up some sort of tree structure
that you can back peddle up. Keeping in mind that a specific ACE could be on
level 1 and level 6 but inheritance blocked at level 3 and on level 9 you
find the inherited ACE you need to know to go to level 6 to get the
inherited from versus level 1. It isn't bad with the proper data structure,
you just have to set it up and maintain it.
It is sort of like you can't look at (and just at) the lockoutTime attribute
of a user and positively determine the user is locked, you have to add in
additional lookups and logic to chase it down.
So I would classify that one in the category of DCR versus issue. Not really
minor either in my opinion, definitely valueable though. :o)
Oh I will tackle another because that was quick...
"* The permissions of the domain object itself are not listed"
Look at the filter, it has several possible combinations. The default is to
show OrgUnits. If you make the following quick changes
Const SCOPE_OUS_ONLY = False 'True 'Whether to scan only OUs or
also other object classes
Const SCOPE_NON_ADVANCED_VIEW = False 'True 'Whether to scan only
normal-view objects or also advanced-view objects
It will do all objects (objectclass=*).
I think the DCR I would submit there is to allow the person to specify the
filter as well as the base, possibly the scope too.
And finally
"run the script from the command-line like CSCRIPT otherwise
you need to click away popup boxes"
Didn't happen to me... But then one of the first things I do is set CSCRIPT
as default. :o)
Ok, time to two fist some mountain dew and work on the last couple of
chapters of AD 3E... I expect everyone on the list to buy at least 10 copies
to give out to all of their friends. It is shaping up to be a book worth
reading. As one of the tech reviewers said in a note to me today...
"...... It's one you wrote from scratch, right? (I don't see any comments
or edits from you that would indicate it's an older, reworked chapter.)
Love. Love. Love love love. "
The book is supposed to target the lesser experienced folks and I fully
admit that, but for those that are experienced and buy it anyway I am adding
nice gems that you won't find documented anywhere else. Unfortunately I
don't get to use phrases like "set my hair on fire" or "its like a junebug
on a hot tin roof" or anything like that, but it is still good. Next book
will be more fun.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Almeida Pinto,
Jorge de
Sent: Thursday, September 08, 2005 8:07 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx; ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory Permissions
Hi Sakari,
Just tested the script on my home DC. Works great.
Minor Minor Minor issues.. ;-))
* Last line states "This table was generated at 09-Sep-2005 01:47:40 by
ACLsToExcel.vbs" the last should be ACLReport.vbs Instead of hardcoding the
name of the file add WScript.ScriptName
* The permissions of the domain object itself are not listed
* white space is explicit allow permission (not mentioned)
* For inherited permissions... "inherited from" is missing
Cheers
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sakari Kouti
Sent: Fri 9/9/2005 12:21 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory Permissions
Hi All,
All software projects take twice the estimated schedule, so not on Tuesday,
but now on Thursday there is finally the script to dump all AD ACEs at the
end of the page http://www.kouti.com/scripts.htm
A few comments:
- As always, you would get most of the results using just end-user
permissions
- The script works fastest, when run on a DC. They don't often have Excel
installed, so I modified the script to create an HTML file instead of direct
Excel dumping. You can copy this HTML file to a workstation, right-click the
table in IE and select Export to Microsoft Excel.
- You can specify the root of dumping in an inputbox.
- By modifying three lines in the beginning of the script, you can specify:
- Whether to scan only OUs or also other object classes
- Whether to scan only normal-view objects or also advanced-view objects
- Whether to display all ACEs or only non-inherited
Please let me know if you find bugs or have minor :-) feature suggestions.
Note that the script is not bullet proof. For example, it breaks, if you try
to run it as a standalone user, with no access to AD (no graceful exit, that
is).
Yours, Sakari
PS. Thanks for the congrats on my third child.
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:100
| | 09/09/2005 12:08 PM |
| Hi Sakari,
Just tested the script on my home DC. Works great.
Minor Minor Minor issues.. ;-))
* Last line states "This table was generated at 09-Sep-2005 01:47:40 by ACLsToExcel.vbs" the last should be ACLReport.vbs Instead of hardcoding the name of the file add WScript.ScriptName
* The permissions of the domain object itself are not listed
* white space is explicit allow permission (not mentioned)
* For inherited permissions... "inherited from" is missing
Cheers
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sakari Kouti
Sent: Fri 9/9/2005 12:21 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory Permissions
Hi All,
All software projects take twice the estimated schedule, so not on Tuesday, but now on Thursday there is finally the script to dump all AD ACEs at the end of the page http://www.kouti.com/scripts.htm
A few comments:
- As always, you would get most of the results using just end-user permissions
- The script works fastest, when run on a DC. They don't often have Excel installed, so I modified the script to create an HTML file instead of direct Excel dumping. You can copy this HTML file to a workstation, right-click the table in IE and select Export to Microsoft Excel.
- You can specify the root of dumping in an inputbox.
- By modifying three lines in the beginning of the script, you can specify:
- Whether to scan only OUs or also other object classes
- Whether to scan only normal-view objects or also advanced-view objects
- Whether to display all ACEs or only non-inherited
Please let me know if you find bugs or have minor :-) feature suggestions. Note that the script is not bullet proof. For example, it breaks, if you try to run it as a standalone user, with no access to AD (no graceful exit, that is).
Yours, Sakari
PS. Thanks for the congrats on my third child.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:100
| | 09/09/2005 12:12 PM |
| Oh... forget to mention...
run the script from the command-line like CSCRIPT
otherwise you need to click away popup boxes
Cheers
Jorge
________________________________
From: Almeida Pinto, Jorge de
Sent: Fri 9/9/2005 2:06 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx; ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory Permissions
Hi Sakari,
Just tested the script on my home DC. Works great.
Minor Minor Minor issues.. ;-))
* Last line states "This table was generated at 09-Sep-2005 01:47:40 by ACLsToExcel.vbs" the last should be ACLReport.vbs Instead of hardcoding the name of the file add WScript.ScriptName
* The permissions of the domain object itself are not listed
* white space is explicit allow permission (not mentioned)
* For inherited permissions... "inherited from" is missing
Cheers
Jorge
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of Sakari Kouti
Sent: Fri 9/9/2005 12:21 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Active Directory Permissions
Hi All,
All software projects take twice the estimated schedule, so not on Tuesday, but now on Thursday there is finally the script to dump all AD ACEs at the end of the page http://www.kouti.com/scripts.htm
A few comments:
- As always, you would get most of the results using just end-user permissions
- The script works fastest, when run on a DC. They don't often have Excel installed, so I modified the script to create an HTML file instead of direct Excel dumping. You can copy this HTML file to a workstation, right-click the table in IE and select Export to Microsoft Excel.
- You can specify the root of dumping in an inputbox.
- By modifying three lines in the beginning of the script, you can specify:
- Whether to scan only OUs or also other object classes
- Whether to scan only normal-view objects or also advanced-view objects
- Whether to display all ACEs or only non-inherited
Please let me know if you find bugs or have minor :-) feature suggestions. Note that the script is not bullet proof. For example, it breaks, if you try to run it as a standalone user, with no access to AD (no graceful exit, that is).
Yours, Sakari
PS. Thanks for the congrats on my third child.
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| AD000001012
Posts:0
| | 09/09/2005 12:30 PM |
| Hi Jorge, Joe and others,
Thanks for the input. I just posted version 1.01 of the script.
> run the script from the command-line like CSCRIPT
> otherwise you need to click away popup boxes
Now the popups (or command-line output, that is) appear only in cscript. So not tens of popups, if you happen to use wscript.
> * Last line states "This table was generated at 09-Sep-2005
> 01:47:40 by ACLsToExcel.vbs" the last should be ACLReport.vbs
> Instead of hardcoding the name of the file add WScript.ScriptName
Good point, I fixed the name (still use hard-coded, though)
> * The permissions of the domain object itself are not listed
You could think the domain object to be kind of an OU, and part of the OU tree, so now "OUs only" actually means "OUs and the domain object"
> * white space is explicit allow permission (not mentioned)
Added
> * For inherited permissions... "inherited from" is missing
As Joe points out, this is not trivial. Maybe sometimes later, if at all...
Yours, Sakari
PS. Three is children is the maximum, so no fourth one with Longhorn.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| ZJORZ
Posts:100
| | 09/09/2005 12:49 PM |
| Hi Sakari,
Congrats!
So we can expect the 4th edition
and your 4th child to see the world in 2007 - the longhorn timeframe? ;-)) Just
kidding!
Thanks for the
script
cheers,
Jorge
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Sakari
KoutiSent: Monday, September 05, 2005 01:18To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Active Directory
Permissions
Hi All,
In case anyone is wondering: Several people were interested
in the script that dumps all ACLs of a domain, so I'll upload one on www.kouti.com. However, I couldn't resist the
temptation to enhance my old script a little, so I haven't yet uploaded
it.
Another reason for the delay is that we got our third child
a couple of days ago. Those of you that have read our book know it's about time,
because the first two children were born on 2000 and 2003, and now R2 is about
to be launched.
So, probably a couple of more days until the
upload.
Yours, Sakari
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. | | | |
|
|