DESCRIPTION
This script policy sample demonstrates how to prohibit an AD native security editing on ARS clients such as MMC Console and Web Interface
Note: This script doesn't really prohibit native security editing, but only disables this feature on ARS clients. This script filters the allowedAttributesEffective attribute for string "nTSecurityDescriptor".
Note This code may use functions from the Active Roles Script Policy Best Practices. Please, follow the link to obtain instructions and code for those functions.
SCRIPT
'*********************************************************************************
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
' EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
' WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
'
' IF YOU WANT THIS FUNCTIONALITY TO BE CONDITIONALLY SUPPORTED,
' PLEASE CONTACT ONE IDENTITY PROFESSIONAL SERVICES.
'*********************************************************************************
Option Explicit
'===========================================================================
' onPostGet
'===========================================================================
Sub onPostGet(Request)
Dim strAllowed, arrAllowed, arrAllowed2
'-- exit, if allowedAttributesEffective attribute not requested
If (Not Request.IsAttributeRequested("allowedAttributesEffective")) Then Exit Sub
'-- get allowed attribute list
On Error Resume Next
arrAllowed = Request.GetEx("allowedAttributesEffective")
On Error GoTo 0
'-- make new allowed attribute list
arrAllowed2 = Array()
For Each strAllowed In arrAllowed
'-- filter disallowed attributes
If (LCase(strAllowed) <> LCase("nTSecurityDescriptor")) Then
'-- add allowed attribute to new list
ReDim Preserve arrAllowed2(UBound(arrAllowed2)+1)
arrAllowed2(UBound(arrAllowed2)) = strAllowed
End If
Next
'-- put new allowed attribute list
Call Request.Put("allowedAttributesEffective", arrAllowed2)
End Sub
'***** END OF CODE ***************************************************************