How to programmatically apply access permissions for Windows Server 2003 built-in groups in the Active Directory directory service

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q331947
Microsoft Windows Server 2003 introduced several built-in groups to simplify administration of access permissions when the domain is in high-security mode.

By default, the built-in groups have the correct access permissions to the appropriate objects in a new installation of Windows Server 2003 domains. However, in mixed-mode domains and in upgraded domains, some access permissions that were previously selected may not be changed. This issue occurs when a Windows Server 2003 domain controller is added to a Windows 2000 domain. This issue also occurs when a Windows 2000 domain is upgraded to a Windows Server 2003 domain.
The following scripts demonstrate how to grant access permissions to the Token-Groups-Global-And-Universal (TGGAU) attribute for "BUILT-IN\Windows Authentication Access Group."

Visual Basic Script Code (Modifyacl.vbs)

On Error Resume Nextconst ADS_RIGHT_DS_READ_PROP = &H10const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5const ADS_ACEFLAG_INHERIT_ACE = &H2const ADS_FLAG_OBJECT_TYPE_PRESENT = &H1' Token-Groups-Global-And-Universalconst TOKEN_GROUPS_PROPERTY_GUID = "{46a9b11d-60ae-405a-b7e8-ff8a58d456d2}"' BUILTIN\Windows Authentication Access Groupconst WINDOWS_AUTH_ACCESS_SID = "S-1-5-32-560"Set oArgs = WScript.Argumentsif oArgs.Count <> 1 then   WScript.Echo "Usage: modifyacl.vbs <DN of the object to modify>"   WScript.Echo "Ex:    modifyacl.vbs OU=test,DC=domain,DC=com"   WScript.Quit(1)end ifWScript.Echo "Trying to bind to the object " & oArgs(0)Set oTarget = GetObject( "LDAP://" & oArgs(0) )If (Err.Number <>0 ) Then	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred trying to bind to the object " 	Err.ClearEnd IfWScript.Echo "Reading security descriptor"Set oSD = oTarget.Get( "ntSecurityDescriptor" )Set oACL = oSD.DiscretionaryAclIf (Err.Number<>0 ) Then	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred reading the security descriptor"		Err.ClearEnd IfWScript.Echo "Creating new ACE and setting properties"Set oACE = CreateObject( "AccessControlEntry" )If (Err.Number<>0 ) Then	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred creating new ACE"		Err.ClearEnd If' Right to read properties of the object that is a specific property in this caseoACE.AccessMask = ADS_RIGHT_DS_READ_PROP' Grants access to the object or to the property in particularoACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT' Child objects inherit this access-control entry.oACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE' Token-Groups-Global-And-UniversaloACE.Flags = ADS_FLAG_OBJECT_TYPE_PRESENToACE.ObjectType = TOKEN_GROUPS_PROPERTY_GUID' BUILTIN\Windows Authentication Access GroupoACE.Trustee = WINDOWS_AUTH_ACCESS_SIDWScript.Echo "Applying the modified security descriptor to the object"oACL.AddAce oACEoSD.DiscretionaryAcl = oAcloTarget.Put "ntSecurityDescriptor", oSDoTarget.SetInfoIf (Err.Number<>0 ) Then	WScript.Echo "Error 0x"	+ CStr(Hex(Err.Number)) + " Occurred applying modified security descriptor to the object"		Err.ClearElse		WScript.Echo "Done!"End If
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
331951 Some applications and APIs require access to authorization information on account objects

Artikelnummer: 331947 – Letzte Überarbeitung: 12/15/2004 20:38:48 – Revision: 2.1

Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

  • kbinfo kbprogramming kbscript kbhowto KB331947