How to find extended rights that apply to a schema class object by using Visual Basic Script

This article has been archived. It is offered "as is" and will no longer be updated.
The purpose of this article is to provide a method that employs Visual Basic Script to list all of the extended rights (controlAccessRight objects) whose AppliesTo attribute matches a given SchemaIDGUID of a specified SchemaClass object. The sample in this article provides command line help that demonstrates how to search for all extended rights that apply to the User class.
More information
Visual Basic Script does not provide a simple method for working with a variant array of bytes, so a method to transform the binary GUID into a string GUID suitable for an LDAP query was needed. The Array Converter sample exposes a method that can convert binary data into its hex string equivalent. This Visual Basic Script takes advantage of this capability and then reorders the hex string into a form that can be used in an LDAP query to search for the matching appliesTo properties.

This conversion takes place in the FlipOctetGuidToTextGuid function provided in the "Visual Basic Script Code" section of this article.

The code follows a very simple algorithm:
  1. Use the RootDSE object to obtain information about the defaultNamingContext, schemaNamingContext, and configurationNamingContext.
  2. Bind to the specified schema object and retrieve the schemaIDGUID property.
  3. Convert the schemaIDGUID into a string and manipulate the bytes.
  4. Perform an LDAP dialect query on the extended rights container by searching for the appliesTo property that matches the given schemaIDGUID.
  5. Display the results.

Visual Basic Script code

Const ADSI_PROVIDER = "ADSDSOObject"Const ADSI_PROV_NAME = "Active Directory Provider"'<<<<<<<<<<<<<<<<<<<<<< MAIN VBS>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>''Requires that ADSEncoder.DLL and ADS.DLL be registered in order for this' script to execute.  ADSEncoder provides a set of interfaces that ' can be used to binary encode the guid string for use in an LDAP query.'' ADs.DLL provides some useful string conversion utilities.'  Dim RootDSEStr  Dim oEncoder   Dim oConverter   Dim objpath  Dim oSchemaObj  Dim oRootDSE   Dim flipstring   Dim rightsguids()   '  ' Validate the arguments  '  See the DisplayUsage subroutine for details on calling args  '  set args = Wscript.Arguments  if( args.Count < 4 ) then    WScript.Echo "Error: Wrong Number of arguments"    call DisplayUsage( )    WScript.quit 0    end if  '  userID = args(1)  Password = args(2)  ldpServer = args(3)  '  ' Bind to the rootDSE object for the domain to objtain  ' The Default Naming Context  ' and  ' The Schema Naming Context to build the ADsPath for  ' the SchemaClass object  '  Set oRootDSE = GetObject("LDAP://RootDSE")  objpath = "LDAP://cn=" & args(0) & "," & oRootDSE.Get("SchemaNamingContext")  Wscript.Echo "Binding to: " & vbCrLf & objPath  Set oSchemaObj = GetObject(objpath)  RootDSEStr = oRootDSE.Get("DefaultNamingContext")  '  ' Retrieve the SchemaIDGuid and convert it to a form  ' that can be used in an LDAP query.  ' Flip the binary GUID around so we can work with it...  '  flipstring = FlipOctetGuidToTextGuid(oSchemaObj.Get("SchemaIDGUID"))  '  ' Find all of the controlAccessRights objects whose AppliesTo attribute  ' contains the specified guid and return an array of strings that contain  ' the RightsGuid field of each object found that meets the match  '  FindRightsGuidsFromSchemaIDGuid flipstring, rightsguids, userID, Password, ldpServer  '  ' Display the results  '  WScript.Echo "AccessControlRight Objects ( Extended Rights or Property Sets) Found: "  For i = LBound(rightsguids) To UBound(rightsguids)    WScript.Echo rightsguids(i)  Next ''<<<<<<<<<<<<<<<<<<<<<<< END MAIN VBS >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>'Function FlipOctetGuidToTextGuid(octet )     Dim cnv    Dim rByte()    Dim guidByte()	'	' Due to a limitation in VBS, we need to convert	' the variant array of bytes into its string counter part.	' Then we must flip the bytes around to get them into the	' proper order and format it the string to match 	' the GUID string in the AppliesTo attribute of an AccessControlRight	' object	'    set cnv = CreateObject("ADs.ArrayConvert")    tmpGuid = cnv.CvOctetStr2vHexStr(octet)    octetStr = Mid(tmpGuid, 7, 2)             ' 0    octetStr = octetStr + Mid(tmpGuid, 5, 2)  ' 1    octetStr = octetStr + Mid(tmpGuid, 3, 2)  ' 2    octetStr = octetStr + Mid(tmpGuid, 1, 2)  ' 3    octetStr = octetStr + Mid(tmpGuid, 11, 2) ' 4    octetStr = octetStr + Mid(tmpGuid, 9, 2)  ' 5    octetStr = octetStr + Mid(tmpGuid, 15, 2) ' 6    octetStr = octetStr + Mid(tmpGuid, 13, 2) ' 7    '    ' The remaining segments are the same...    '	octetStr = octetStr + Mid(tmpGuid, 17, Len(tmpGuid))    '    ' Add the '-'s    '    guidStr = Mid(octetStr, 1, 8) & "-" & Mid(octetStr, 9, 4) & "-" & Mid(octetStr, 13, 4) & "-" & Mid(octetStr, 17, 4) & "-" & Mid(octetStr, 21, 15)	'    ' Return the GUID in the form that it can be used in an LDAP 	' query to find matching AppliesTo GUIDs in the Extended-Rights container    '    FlipOctetGuidToTextGuid = guidStrEnd Function'' FindRightsGuidFromSchemaIDGuid uses the ADSI ADO provider' to perform and LDAP dialect query against the Extended-Rights container,' Searching for all of the AccessControlRight objects whose AppliesTo property contains' the specified GUID in AppliesToGuid parameter.'' The subroutine returns an array of strings containing the Common Name and ' LDAP Display Name for each AccessControlRight object found.''Sub FindRightsGuidsFromSchemaIDGuid(appliesToGuid, RetGuids, userid, password, ldpserver)   Dim strQuery   Dim varName    Dim lErrorNumber    Dim strTotal   Dim cmd    Dim lcnt   Dim tmp   Dim m_pConn   Dim m_recordSet    Set cmd = CreateObject("ADODB.Command")   Set m_pConn = CreateObject("ADODB.Connection")   m_pConn.Provider = ADSI_PROVIDER   m_pConn.Properties("Encrypt Password") = False   m_pConn.Properties("User ID") = userid   m_pConn.Properties("Password") = password   '   ' Set a color for each group   '   m_pConn.Open ADSI_PROV_NAME   Set cmd.ActiveConnection = m_pConn   strQuery = "<LDAP://" & ldpserver & "/CN=Extended-Rights,CN=Configuration," & RootDSEStr & ">;(appliesTo=" & appliesToGuid & ");RightsGuid,cn,displayname;subtree"   cmd.CommandText = strQuery   cmd.Properties("Page Size") = 10   Set m_recordSet = cmd.Execute   rCount = 0   While (Not m_recordSet.EOF)      rCount = rCount + 1      ReDim Preserve RetGuids(rCount)      tmpStr = m_recordSet.Fields("cn") & " " & Chr(34) & m_recordSet.Fields("displayName") & Chr(34)      RetGuids(rCount - 1) = tmpStr      m_recordSet.MoveNext   Wend   ReDim Preserve RetGuids(rCount - 1)End Sub'' DisplayUsage provides limited help information for the script.''Sub DisplayUsage (  )   '   ' This VBS requires 4 arguments in the following order:   '  1. CN for the SchemaClassObject "CN=" prefix   '  2. UserID use for credentials for the ADO query   '  3. Password for the UserID   '  4. NetBios form of the LDAP server to target   '   ' ie: props user "Domain\User" "Passward" MyServer   '    ' Will try to display all of the AccessControlRight objects whose   ' AppliesTo property matches the SchemaIDGuid of the schemaClass object   ' user using the credentials of Domain\User to bind,   ' to query the LDAP server myServer   '       '             1--------0---------2---------3---------4---------5---------6---------7--------*"   WScript.Echo "appliesto.VBS ->"   WScript.Echo "Displays a list of AccessControlRight objects whose AppliesTo property"   WScript.Echo "Matches the SchemaIDGUID property of the provided SchemaClass object"   WScript.Echo   WScript.Echo "USAGE: Props Schema_Class_Object UserID Password LDAP_Server"   WScript.Echo "WHERE:"   WScript.Echo "       Schem_Class_Object - CN of SchemaClass object to find AccessControlRight objects"   WScript.Echo "       UserID - User credentials to use for the ADO query"   WScript.Echo "       Password - Password for UserID"   WScript.Echo "       LDAP_Server - can be the NetBIOS or DNS name for the LDAP server to"   WScript.Echo "          target for the LDAP ADO query" & vbCrLf   WScript.Echo " Example: To list Extended Rights associated with user class object"   WScript.Echo "    using the credentials for MyDomain\JoeB against the AD server"   WScript.Echo "    LDAPServer the command line would be:"   WScript.Echo "props user MyDomain\JoeB PWD_for_JoeB LDAPServer"   WScript.Echo "<--------------------IMPORTANT NOTE :-------------------->"   WScript.Echo " ADsEncoder.Dll and ADS.DLL must be registered using RegSvr32 in order for"   WScript.Echo " this script to execute successfully"end Sub				
For more information on ADS.dll and ArrayConvert.exe, click the following article number to view the article in the Microsoft Knowledge Base:
250344 SAMPLE: ARRAYCONVERT.EXE Variant Conversion Functions
For more information about controlAccessRight objects, see the following MSDN Library topics:The ADsEncoder.dll file is part of the Active Directory Service Interfaces (ADSI) 2.5 resource kit. To download the ADSI 2.5 resource kit, visit the following Microsoft Web site:If this DLL does not correctly register, ADSI is not installed.

Article ID: 302514 - Last Review: 01/11/2015 04:17:32 - Revision: 5.0

  • kbnosurvey kbarchive kbdswadsi2003swept kbhowto KB302514