DESCRIPTION
This script policy sample demonstrates how to prohibit an AD native security editing on ARS clients such as MMC Console and Web Interface
Note: This script doesn't really prohibit native security editing, but only disables this feature on ARS clients. This script filters the allowedAttributesEffective attribute for string "nTSecurityDescriptor".
Note This code may use functions from the ARS Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTBILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT QUEST PROFESSIONAL SERVICES.
'*********************************************************************************
'
' This code is published on the ActiveRoles Script Center:
' http://communities.quest.com/docs/DOC-9991
'
' This code may use functions from the ARS Script Policy Best Practices:
' http://communities.quest.com/docs/DOC-10016
'
' Please, follow the link to obtain instructions and code for those functions.
'*********************************************************************************
Option Explicit
'===========================================================================
' onPostGet
'===========================================================================
Sub onPostGet(Request)
Dim strAllowed, arrAllowed, arrAllowed2
'-- exit, if allowedAttributesEffective attribute not requested
If (Not Request.IsAttributeRequested("allowedAttributesEffective")) Then Exit Sub
'-- get allowed attribute list
On Error Resume Next
arrAllowed = Request.GetEx("allowedAttributesEffective")
On Error GoTo 0
'-- make new allowed attribute list
arrAllowed2 = Array()
For Each strAllowed In arrAllowed
'-- filter disallowed attributes
If (LCase(strAllowed) <> LCase("nTSecurityDescriptor")) Then
'-- add allowed attribute to new list
ReDim Preserve arrAllowed2(UBound(arrAllowed2)+1)
arrAllowed2(UBound(arrAllowed2)) = strAllowed
End If
Next
'-- put new allowed attribute list
Call Request.Put("allowedAttributesEffective", arrAllowed2)
End Sub
'***** END OF CODE ***************************************************************
COMPATIBILITY
Script compatible with the following version(s): <Not specified>