Somebody asked me what the ACE access mask is for Open Address List on an address list object in Exchange. I thought this should be a relatively straight forward thing to find but apparently not although most of the other ADSI permission enums are documented and used a fair bit this one seems to be a little neglected. There are some hidden gems in the Exchange SDK but unless you know what you looking at its easy to look straight over them. The SDK gives us a create GAL sample using ADSI . Within this sample the following line gives the accessmask and all the right setting needed to add an “open address list ACE”
AddAce objCopyDACL, szUserGroup + "@" + szDomain, 256, 5, 2, 1, "{A1990816-4298-11D1-ADE2-00C04FD8D5CD}", 0
Unfortunately they haven’t used a constant in this script to tell you what the 256 access mask means but there is an easy way I use to work this out. Which is basically add a unique user to an address list and give it only the “Open address list” right and then use the following little script to output what the ACE entries are for that object. Then all I need to do is look at what access mask gets assigned to the ACE for the unique user I added. The script to do is a simple ACE list example which looks like. This is a modified version of the script from this kb
sUserADsPath = "LDAP://DN-of-Addresslist"
Set objadlist = GetObject(sUserADsPath)
Set oSecurityDescriptor = objadlist.Get("ntSecurityDescriptor")
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
wscript.echo "Here are the existing ACEs in the DACL:"
For Each ace In dacl
' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
Next
wscript.echo "Done viewing descriptor"
So to add a user with the open address list right to a existing address list all you need to do is combine bits from the create GAL sample I mentioned above with the addace and reorder ACE function in the Exchange SDK. The result of such a combination looks something like this. I’ve placed a download copy of the scripts here.
strDNofADdresslist = "LDAP://DN-of-Addresslist"
Set objgal = GetObject(strDNofADdresslist)
Set objSecurityDescriptor = objgal.Get("ntSecurityDescriptor")
iCurrentControl = objSecurityDescriptor.Control
objSecurityDescriptor.Control = iCurrentControl Or SE_DACL_PROTECTED
Set objParentSD = objgal.Get("ntSecurityDescriptor")
Set objParentDACL = objParentSD.DiscretionaryAcl
Set objCopyDACL = objParentDACL.CopyAccessList()
AddAce objCopyDACL, "domain\userID", 256, 5, 2, 1, "{A1990816-4298-11D1-ADE2-00C04FD8D5CD}", 0
Set objNewDACL = ReorderACL(objCopyDACL)
objSecurityDescriptor.DiscretionaryAcl = objNewDACL
objgal.Put "ntSecurityDescriptor", objSecurityDescriptor
objgal.SetInfo
Function AddAce( objDacl, _
szTrusteeName, _
gAccessMask, _
gAceType, _
gAceFlags, _
gFlags, _
gObjectType, _
gInheritedObjectType)
Set Ace1 = CreateObject("AccessControlEntry")
Ace1.AccessMask = gAccessMask
Ace1.AceType = gAceType
Ace1.AceFlags = gAceFlags
Ace1.Flags = gFlags
Ace1.Trustee = szTrusteeName
If CStr(gObjectType) <> "0" Then
Ace1.ObjectType = gObjectType
End If
If CStr(gInheritedObjectType) <> "0" Then
Ace1.InheritedObjectType = gInheritedObjectType
End If
objDacl.AddAce Ace1
Set Ace1 = Nothing
wscript.echo "Ace added"
End Function
Function ReorderACL(objDacl)
' Set Constants.
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Set objSD = CreateObject("SecurityDescriptor")
Set newDACL = CreateObject("AccessControlList")
Set ImpDenyDacl = CreateObject("AccessControlList")
Set ImpDenyObjectDacl = CreateObject("AccessControlList")
Set ImpAllowDacl = CreateObject("AccessControlList")
Set ImpAllowObjectDacl = CreateObject("AccessControlList")
For Each ace In objDacl
Select Case ace.AceType
Case ADS_ACETYPE_ACCESS_DENIED
ImpDenyDacl.AddAce ace
Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
ImpDenyObjectDacl.AddAce ace
Case ADS_ACETYPE_ACCESS_ALLOWED
ImpAllowDacl.AddAce ace
Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ImpAllowObjectDacl.AddAce ace
Case Else
wscript.echo "bad ACE"
End Select
Next
' Combine the ACEs in the Proper Order
' Implicit Deny.
For Each ace In ImpDenyDacl
newDACL.AddAce ace
Next
' Implicit Deny Object.
For Each ace In ImpDenyObjectDacl
newDACL.AddAce ace
Next
' Implicit Allow.
For Each ace In ImpAllowDacl
newDACL.AddAce ace
Next
' Implicit Allow Object.
For Each ace In ImpAllowObjectDacl
newDACL.AddAce ace
Next
newDACL.AclRevision = objDacl.AclRevision
Set ReorderACL = newDACL
Set newDACL = Nothing
Set ImpAllowObjectDacl = Nothing
Set ImpAllowDacl = Nothing
Set ImpDenyObjectDacl = Nothing
Set ImpDenyDacl = Nothing
Set objSD = Nothing
wscript.echo "DACL Reordered"
End Function
AddAce objCopyDACL, szUserGroup + "@" + szDomain, 256, 5, 2, 1, "{A1990816-4298-11D1-ADE2-00C04FD8D5CD}", 0
Unfortunately they haven’t used a constant in this script to tell you what the 256 access mask means but there is an easy way I use to work this out. Which is basically add a unique user to an address list and give it only the “Open address list” right and then use the following little script to output what the ACE entries are for that object. Then all I need to do is look at what access mask gets assigned to the ACE for the unique user I added. The script to do is a simple ACE list example which looks like. This is a modified version of the script from this kb
sUserADsPath = "LDAP://DN-of-Addresslist"
Set objadlist = GetObject(sUserADsPath)
Set oSecurityDescriptor = objadlist.Get("ntSecurityDescriptor")
Set dacl = oSecurityDescriptor.DiscretionaryAcl
Set ace = CreateObject("AccessControlEntry")
wscript.echo "Here are the existing ACEs in the DACL:"
For Each ace In dacl
' Display all the properties of the ACEs using the IADsAccessControlEntry interface.
wscript.echo ace.Trustee & ", " & ace.AccessMask & ", " & ace.AceType & ", " & ace.AceFlags & ", " & ace.Flags & ", " & ace.ObjectType & ", " & ace.InheritedObjectType
Next
wscript.echo "Done viewing descriptor"
So to add a user with the open address list right to a existing address list all you need to do is combine bits from the create GAL sample I mentioned above with the addace and reorder ACE function in the Exchange SDK. The result of such a combination looks something like this. I’ve placed a download copy of the scripts here.
strDNofADdresslist = "LDAP://DN-of-Addresslist"
Set objgal = GetObject(strDNofADdresslist)
Set objSecurityDescriptor = objgal.Get("ntSecurityDescriptor")
iCurrentControl = objSecurityDescriptor.Control
objSecurityDescriptor.Control = iCurrentControl Or SE_DACL_PROTECTED
Set objParentSD = objgal.Get("ntSecurityDescriptor")
Set objParentDACL = objParentSD.DiscretionaryAcl
Set objCopyDACL = objParentDACL.CopyAccessList()
AddAce objCopyDACL, "domain\userID", 256, 5, 2, 1, "{A1990816-4298-11D1-ADE2-00C04FD8D5CD}", 0
Set objNewDACL = ReorderACL(objCopyDACL)
objSecurityDescriptor.DiscretionaryAcl = objNewDACL
objgal.Put "ntSecurityDescriptor", objSecurityDescriptor
objgal.SetInfo
Function AddAce( objDacl, _
szTrusteeName, _
gAccessMask, _
gAceType, _
gAceFlags, _
gFlags, _
gObjectType, _
gInheritedObjectType)
Set Ace1 = CreateObject("AccessControlEntry")
Ace1.AccessMask = gAccessMask
Ace1.AceType = gAceType
Ace1.AceFlags = gAceFlags
Ace1.Flags = gFlags
Ace1.Trustee = szTrusteeName
If CStr(gObjectType) <> "0" Then
Ace1.ObjectType = gObjectType
End If
If CStr(gInheritedObjectType) <> "0" Then
Ace1.InheritedObjectType = gInheritedObjectType
End If
objDacl.AddAce Ace1
Set Ace1 = Nothing
wscript.echo "Ace added"
End Function
Function ReorderACL(objDacl)
' Set Constants.
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACEFLAG_INHERITED_ACE = &H10
Set objSD = CreateObject("SecurityDescriptor")
Set newDACL = CreateObject("AccessControlList")
Set ImpDenyDacl = CreateObject("AccessControlList")
Set ImpDenyObjectDacl = CreateObject("AccessControlList")
Set ImpAllowDacl = CreateObject("AccessControlList")
Set ImpAllowObjectDacl = CreateObject("AccessControlList")
For Each ace In objDacl
Select Case ace.AceType
Case ADS_ACETYPE_ACCESS_DENIED
ImpDenyDacl.AddAce ace
Case ADS_ACETYPE_ACCESS_DENIED_OBJECT
ImpDenyObjectDacl.AddAce ace
Case ADS_ACETYPE_ACCESS_ALLOWED
ImpAllowDacl.AddAce ace
Case ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
ImpAllowObjectDacl.AddAce ace
Case Else
wscript.echo "bad ACE"
End Select
Next
' Combine the ACEs in the Proper Order
' Implicit Deny.
For Each ace In ImpDenyDacl
newDACL.AddAce ace
Next
' Implicit Deny Object.
For Each ace In ImpDenyObjectDacl
newDACL.AddAce ace
Next
' Implicit Allow.
For Each ace In ImpAllowDacl
newDACL.AddAce ace
Next
' Implicit Allow Object.
For Each ace In ImpAllowObjectDacl
newDACL.AddAce ace
Next
newDACL.AclRevision = objDacl.AclRevision
Set ReorderACL = newDACL
Set newDACL = Nothing
Set ImpAllowObjectDacl = Nothing
Set ImpAllowDacl = Nothing
Set ImpDenyObjectDacl = Nothing
Set ImpDenyDacl = Nothing
Set objSD = Nothing
wscript.echo "DACL Reordered"
End Function