I'm just writing a script that creates Groups in the AD. This groups are named by a special name convention (for our firm). I also set the "Scope of Group". Everything works very nice.
Now I want to set NTFS permissions on the new build group and I tried using this:
Expand|Select|Wrap|Line Numbers
- Const UF_WORKSTATION_TRUST_ACCOUNT = &H1000
- Const UF_ACCOUNTDISABLE = &H2
- Const UF_PASSWD_NOTREQD = &H20
- Const ADS_GUID_COMPUTRS_CONTAINER = "aa312825768811d1aded00c04fd8d5cd"
- Const ADS_ACETYPE_ACCESS_ALLOWED = 0
- Const ADS_ACEFLAG_INHERIT_ACE = 2
- sUserOrGroup = "ou2/Groups/User Name"
- Set secDescriptor = createGroup.Get("ntSecurityDescriptor")
- Set dACL = secDescriptor.DiscretionaryAcl
- Set ACE = CreateObject("AccessControlEntry")
- ACE.AccessMask = -1
- ACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
- ACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
- ACE.Trustee = sUserOrGroup
- dACL.AddAce ACE
- secDescriptor.DiscretionaryAcl = dACL
- createGroup.Put "ntSecurityDescriptor", Array(secDescriptor)
- createGroup.SetInfo
- createGroup.AccountDisabled = False
- createGroup.SetInfo
My LDAP looks like this: LDAP://10.0.10.10/ou=OU1,dc=domain,dc=test
The User I want to give permission to the group is in
domain.test/OU1/OU2/Groups/ and it's name is User Name (only to see, if perhaps the path to the user is wrong and so it doesn't work.
When I start the script, I logon to the AD, build a new group - this works. Now I want to set the permissions and get the error "The security ID structure is invalid" in this row:
createGroup.Put "ntSecurityDescriptor", Array(secDescriptor)
Hopefully you can help me - I would be very happy!
Thanks and sorry for my bad english,
Marc