Tuesday, September 13, 2011

Saving and restoring ACL's on OU's

Saving and moving OU ACLs

I’ve written a batch file that will move ACLs from one OU to another. It works by you outputting the results of a ACL from a OU to a text file, specifying the new OU in a batch file and inputting the text file you just created. I use three utilities to accomplish this: adfind.exe, sed.exe and dsacls.exe.
The command to save the text file is:

adfind -b "OU=Users,OU=LAB,DC=LAB,DC=CORP" -f (distinguishedName=OU=Users,OU=LAB,DC=LAB,DC=corp) -sddl++ -resolvesids -onlydacl ntsecuritydescriptor -sddlnotfilter ;inherited| sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" | sed.exe "s/;;/; ;/g" > %PATHTOFILE%.txt


From here, you need to delete the header in the text file and the footer.
Once that is done, run this script, changing the two variables at the top:


:RESTORE-OU-ACL.CMD
:Restore OU Properties
SET TARGETOU=OU=Users Accounts,OU=AD Project 3,DC=LAB,DC=CORP
SET TARGETFILE="New Text Document (5).txt"

@ECHO OFF

SETLOCAL ENABLEDELAYEDEXPANSION
for /F "tokens=1-6 delims=;" %%A IN ('type %TARGETFILE%') DO (
SET PROP=
SET INHERIT=0
IF "%%C" EQU " " SET PROP=GA
ECHO CALL :PROPERTYACL %%C
CALL :PROPERTYACL %%C

ECHO CALL :INHERITANCE %%B
CALL :INHERITANCE %%B

SET PROPERTY=
IF /I "%%D" NEQ " " SET PROPERTY=%%D
ECHO PROPERTY=!PROPERTY!
SET TARGET=
IF /I "%%E" NEQ " " SET TARGET=%%E
ECHO TARGET=!TARGET!
ECHO dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!"
dsacls "%TARGETOU%" !INHERIT! /G "%%F:!PROP!;!PROPERTY!;!TARGET!"

)
GOTO:EOF

:INHERITANCE
REM We need to figure out what ACLS we're dealing with...
FOR /F "tokens=*" %%Z IN ('ECHO %*') DO (
IF '!INHERIT!' EQU '/I:S' GOTO:EOF
ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT]"
IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:T
ECHO %%Z | FINDSTR /I /C:"[CONT INHERIT][INHERIT ONLY]"
IF '!ERRORLEVEL!' EQU '0' SET INHERIT=/I:S
ECHO %%Z | FINDSTR /I /C:"INHERIT"
IF '!ERRORLEVEL!' EQU '1' SET INHERIT=/I:P
ECHO INHERIT=!INHERIT!
)
GOTO:EOF

:PROPERTYACL
REM We need to figure out what ACLS we're dealing with...
FOR /F "tokens=*" %%Z IN ('ECHO %*') DO (
ECHO %%Z | FINDSTR /I /C:"WRT PROP"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!WP
ECHO %%Z | FINDSTR /I /C:"READ PROP"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!RP
ECHO %%Z | FINDSTR /I /C:"CTL"
IF '!ERRORLEVEL!' EQU '0' SET PROP=CA
ECHO %%Z | FINDSTR /I /C:"[CR CHILD]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!CC
ECHO %%Z | FINDSTR /I /C:"[DEL CHILD]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!DC
ECHO %%Z | FINDSTR /I /C:"[LIST CHILDREN]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LC
ECHO %%Z | FINDSTR /I /C:"[LIST OBJECT]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!LO
ECHO %%Z | FINDSTR /I /C:"[READ]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GR
ECHO %%Z | FINDSTR /I /C:"[FC]"
IF '!ERRORLEVEL!' EQU '0' SET PROP=!PROP!GA

ECHO PROP=!PROP!
)
GOTO:EOF

:/I:P = This Object Only *BLANK*
:/I:S = Child Objects Only [CONT INERIT][INHERIT ONLY]
:/I:T = This object and all child objects [CONT INERIT]
:Blank inheritance = /I:P
:When "Properties" are set, it should be /I:S
:When there are no properties listed at all ACL should be GA

No comments: