• Products
    • View all products
    • Free trials
  • Solutions
    • All Solutions
    • All Integrations
  • Resources
    • All Resources
    • Learning Hub
  • Trials
  • Support
    • Support Home
    • By Product
      • All Products
      • Active Roles
      • Authentication Services
      • Cloud Access Manager
      • Defender
      • Identity Manager
      • Password Manager
      • Safeguard
      • Starling Identity Analytics & Risk Intelligence
      • Starling Two-Factor Authentication
      • TPAM Appliance
    • Contact Support
      • Overview
      • Customer Service
      • Licensing Assistance
      • Renewal Assistance
      • Technical Support
    • Download Software
    • Knowledge Base
    • My Account
      • My Products
      • My Service Requests
      • My Licenses
      • My Groups
      • My Profile
    • Policies & Procedures
    • Professional Services
    • Technical Documentation
    • One Identity University
    • User Forums
    • Video Tutorials
  • Partners
    • Overview
    • Partner Circle Log In
    • Become a Partner
    • Find a Partner
    • Partner Community
  • Communities
    • Home
    • Blogs
      • Blogs A to Z
      • One Identity Community
      • AD Account Lifecycle Management
      • Cloud
      • Identity Governance & Administration
      • Privileged Access Management
      • syslog-ng Community
    • Forums
      • All Product Forums
      • Active Roles
      • Identity Manager
      • Password Manager
      • Safeguard
      • Unix Access Management
    • Social Networks
      • Facebook
      • LinkedIn
      • Twitter
      • YouTube
One Identity Community
One Identity Community
  • Site
  • User
  • Site
  • Search
  • User
Active Roles Community
Active Roles Community
Wiki Prohibite a permission propagation to AD
  • Forum
  • Ideas
  • Wiki
  • More
  • Cancel
  • New
  • -Active Roles Script Center
    • +Active Roles Script Policy Best Practices
    • Active Roles SDK
    • +C#
    • +JavaScript
    • +PowerShell
    • -VBScript
      • VBScript Library source code
      • -VBScript samples
        • A Managed Unit with users which have not logged on for last 90 days
        • Adjust the case of usernames to title case (first letter of each part of the name)
        • Advanced group creation/provision
        • Advanced shared folder creation
        • Bulk policy incompliance fixing
        • Check unique value of an attribute
        • +Computer management
        • +Exchange management
        • Function that converts regular date into integer8 format
        • Get effective policy info list
        • +Group management
        • How to find a request source in script policy
        • How to send emails based on scripts policy parameters and Virtual Attribute values
        • +Permissions Management
        • Policy incompliance reporting & fixing for specified policy
        • Populate values from a SQL database to an AD Attribute
        • Prevent copying an attribute on user copy
        • Prohibite a permission propagation to AD
        • Prohibite an AD native security editing
        • Read large integer date attributes and display them in date and time readable format
        • Read XML Node text or attribute value
        • Read XML Node with Children into DictionaryObject
        • Standalone script that requests built-in password generation policy
        • +User management
        • Validate moving operations
        • +VBScript: Approval

Prohibite a permission propagation to AD

DESCRIPTION

This script policy sample demonstrates a permission propagation (aka Sync permission to Active Roles) prohibition.

This policy should be applied to the ATLinks container (CN=AT Links,CN=Configuration)


Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.


SCRIPT

'*********************************************************************************

' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,

' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED

' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.

'

' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,

' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.

'*********************************************************************************

Option Explicit

'***********************************************************************************

'** CUSTOMIZABLE SETTINGS

'***********************************************************************************

Const strScriptName = "Permission Propagation Policy"

Const strErrorMessage = "Permission propagation to AD is prohibited!"

Const strInterestingClass = "edsACE"

'***********************************************************************************

'** SUBROUTINES

'***********************************************************************************

'===========================================================================

' The IsAttributeModified checks if attribute in request is modified

'===========================================================================

Function IsAttributeModified (Request, strAttribute)

Dim objEntry, nControlCode, boolResult

Set objEntry = Request.GetPropertyItem(strAttribute, ADSTYPE_CASE_IGNORE_STRING)

boolResult = False

If Not (objEntry Is Nothing) Then

nControlCode = objEntry.ControlCode

Select Case nControlCode

Case ADS_PROPERTY_CLEAR, ADS_PROPERTY_UPDATE, ADS_PROPERTY_APPEND

boolResult = True

End Select

End If

IsAttributeModified = boolResult

End Function ' IsAttributeModified

'===========================================================================

' The GetAttributeDirObj gets attribute value from object.

' If teh object doesn't have value, gets it from DirObj

'===========================================================================

Function GetAttributeDirObj (objObject, strAttribute)

Dim Value

On Error Resume Next

Value = objObject.Get(strAttribute)

On Error GoTo 0

If (IsEmpty(Value)) Then

On Error Resume Next

Value = DirObj.Get(strAttribute)

On Error GoTo 0

End If

GetAttributeDirObj = Value

End Function ' GetAttributeDirObj

'===========================================================================

' The IsOperationAllowed checks if propagattion is allowed

' It return TRUE if allowed, and returns FALSE if not

'===========================================================================

Function IsOperationAllowed(Request)

IsOperationAllowed = True ' allowed by-default

If ((IsAttributeModified(Request, "edsaAccessTemplateGUID") Or _

(IsAttributeModified(Request, "edsaSecObjectGUID") Or _

(IsAttributeModified(Request, "edsaTrusteeSID") Or _

(IsAttributeModified(Request, "edsaIsSynchronizedWithAD")) Then Exit Sub

Dim guidAccessTemplate, guidSecurableObject, sidTrustee, nSyncronized

' get values from request or DirObj

guidAccessTemplate = GetAttributeDirObj(Request, "edsaAccessTemplateGUID")

guidSecurableObject = GetAttributeDirObj(Request, "edsaSecObjectGUID")

sidTrustee = GetAttributeDirObj(Request, "edsaTrusteeSID")

nSyncronized = GetAttributeDirObj(Request, "edsaIsSynchronizedWithAD")

Dim objOctetString

Set objOctetString = CreateObject("AelitaEDM.EDMOctetString")

Dim strAccessTemplateGUID, strSecurableObjectGUID, strTrusteeSID, boolSyncronized

' convert binary values to strings

objOctetString.Set(guidAccessTemplate)

strAccessTemplateGUID = objOctetString.GetGuidString()

objOctetString.Set(guidSecurableObject)

strSecurableObjectGUID = objOctetString.GetGuidString()

objOctetString.Set(sidTrustee)

strTrusteeSID = objOctetString.GetSidString()

'convert numeric value to boolean

boolSyncronized = (nSyncronized > 0)

Dim objAccessTemplate, objSecurableObject, objTrustee

' bind to objects by their Guids & Sids

Set objAccessTemplate = GetObject("EDMS://<GUID=" & strAccessTemplateGUID & ">")

Set objSecurableObject = GetObject("EDMS://<GUID=" & strSecurableObjectGUID & ">")

Set objTrustee = GetObject("EDMS://<SID=" & strTrusteeSID & ">") '!!! BE AWARE OF WELL-KNOWN SIDS

'--------------------------

' Change the following code to fit your conditions. Current code always prohibit permissions propagations to AD

If (boolSyncronized) IsOperationAllowed = False

End Function ' IsOperationAllowed

'***************************************************************************

' EVENT HANDLERS

'***************************************************************************

'===========================================================================

' onPreCreate

'===========================================================================

Sub onPreCreate(Request)

' skip all classes but ATELink

If (Lcase(Request.Class) <> Lcase(strInterestingClass)) Then Exit Sub

' skip allowed propagation

If (IsOperationAllowed (Request)) Then Exit Sub

Call Err.Raise (1, strScriptName, strErrorMessage)

End Sub

'===========================================================================

' onPreModify

'===========================================================================

Sub onPreModify(Request)

' skip all classes but ATELink

If (Lcase(Request.Class) <> Lcase(strInterestingClass)) Then Exit Sub

' skip allowed propagation

If (IsOperationAllowed (Request)) Then Exit Sub

Call Err.Raise (1, strScriptName, strErrorMessage)

End Sub

'===========================================================================

' onCheckPropertyValues

'===========================================================================

Sub onCheckPropertyValues(Request)

' skip all classes but AT Link

If (Lcase(Request.Class) <> Lcase(strInterestingClass)) Then Exit Sub

' skip allowed propagation

If (IsOperationAllowed (Request)) Then Exit Sub

Call Request.SetPolicyComplianceInfo("cn", EDS_POLICY_COMPLIANCE_ERROR, strErrorMessage)

End Sub

'***** END OF CODE ***************************************************************

  • Script Center
  • Script Center: VBScript
  • Share
  • History
  • More
  • Cancel
Related
Recommended
  • Company
    • About Us
    • Buy
    • Careers
    • Contact Us
    • News
  • Resources
    • Blogs
    • Customer Stories
    • Documents
    • Events
    • Videos
  • Support
    • Professional Services
    • Renew Support
    • Technical Support
    • One Identity University
    • Support Service
  • Social Networks
    • Facebook
    • Instagram
    • LinkedIn
    • Twitter
    • YouTube
  • © 2025 One Identity LLC. ALL RIGHTS RESERVED.
  • Legal
  • Terms of Use
  • Privacy
  • Community Feedback & Support
  • Cookie Preference Center